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Abstract 


A major difficulty in quantum rewinding is the fact that measurement is destructive: ex- 
tracting information from a quantum state irreversibly changes it. This is especially problematic 
in the context of zero-knowledge simulation, where preserving the adversary’s state is essential. 

In this work, we develop new techniques for quantum rewinding in the context of extraction 
and zero-knowledge simulation: 


1. We show how to extract information from a quantum adversary by rewinding it without 
disturbing its internal state. We use this technique to prove that important interactive 
protocols, such as the Goldreich-Micali-Wigderson protocol for graph non-isomorphism 
and the Feige-Shamir protocol for NP, are zero-knowledge against quantum adversaries. 


2. We prove that the Goldreich-Kahan protocol for NP is post-quantum zero knowledge using 
a simulator that can be seen as a natural quantum extension of the classical simulator. 


Our results achieve (constant-round) black-box zero-knowledge with negligible simulation 
error, appearing to contradict a recent impossibility result due to Chia-Chung-Liu- Yamakawa 
(FOCS 2021). This brings us to our final contribution: 


3. We introduce coherent-runtime expected quantum polynomial time, a computational model 
that (1) captures all of our zero-knowledge simulators, (2) cannot break any polynomial 
hardness assumptions, and (3) is not subject to the CCLY impossibility. In light of our 
positive results and the CCLY negative results, we propose coherent-runtime simulation 
to be the right quantum analogue of classical expected polynomial-time simulation. 
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1 Introduction 


Zero-knowledge protocols are a fundamental tool in modern cryptography in which a 
prover convinces a verifier that some statement is true without revealing any additional information. 
This security property is formalized via simulation: the view of any (even malicious) verifier V* 
can be simulated in polynomial time (without access to, e.g., an NP witness for the statement). 

Although the zero-knowledge property sounds almost paradoxical, it is achieved by designing 
a simulator SY" that makes use of V* in ways that the honest protocol execution cannot, thereby 
resolving the apparent paradox. In the simplest and most common setting, the key simulation 
technique is rewinding. Given an interactive adversary A, an oracle algorithm $4 is said to rewind 
the adversary if it saves the state of A midway through an execution in order to run A multiple times 
on different inputs. Rewinding is ubiquitous in the analysis of interactive proof systems, establishing 
properties such as zero-knowledge [GMR85}|GMW86], soundness [Kil92], and knowledge-soundness 
BCg3}. 

However, since the foundational techniques of interactive proof systems were established, our 
conception of what constitutes efficient computation has fundamentally changed. Both in the- 
ory and in practice [AAB*19], quantum computers appear to have capabilities beyond 
that of any efficient classical computer. Thus, it is imperative to analyze security against quantum 
adversaries. In this work, we consider this question for zero-knowledge protocols. 


When do classical zero-knowledge protocols remain secure against quantum adversaries? 


At a minimum, such protocols must be based on post-quantum cryptographic assumptions. 
However, since zero-knowledge is typically proved via rewinding, resolving this question also entails 
understanding to what extent we can rewind quantum adversaries. Unfortunately, rewinding quan- 
tum adversaries is notoriously difficult because an adversary’s internal state may be disturbed if any 
classical information is recorded about its response, potentially rendering it useless for subsequent 
executions [ARU14]. 

By now, a few techniques exist to rewind quantum adversaries 
[ACL21}/CMSZ21)}, but the range of protocols to which these techniques apply remains quite limited. 
As a basic example, Watrous’s zero-knowledge simulation technique applies to the standard 

GMW86] zero-knowledge proof system for graph isomorphism but (as noted in [ARU14]) 
does not apply to the related |GMW86] zero-knowledge proof system for graph non-isomorphism 
(GNI). Recall that in the GNI protocol, the prover P wants to convince the verifier V that two 
graphs Gop, G; are not isomorphic. To do so, the verifier sends a random isomorphic copy H of Gy 
for a uniformly random bit b, to which the prover returns b|! However, to ensure zero-knowledge, 
the verifier first gives a proof of knowledge (PoK) that H is isomorphic to either Go or Gy via 
a variant of the parallel-repeated graph isomorphism “-protocol. Intuitively, this ensures that a 
malicious verifier V* already knows b and hence does not learn anything new from the interaction. 
The classical zero-knowledge simulator for the GNI protocol has two steps: 


1. Extract an isomorphism 7 satisfying 7(H) = Gp for some b using multiple valid Pok re- 
sponses from the malicious verifier V*. 


2. Simulate the view of V* in an real interaction by returning b (computed efficiently from 7). 


'For this overview, we focus on the soundness 1/2 case, but appropriate parallel repetition of this step reduces 
the soundness error. 


It turns out that this kind of extract-and-simulate approach is beyond the reach of existing 
quantum rewinding techniques, because all known techniques for extracting information from mul- 
tiple executions of the adversary fundamentally disturb the state. While 
this particular example just concerns the GNI protocol, this extract-and-simulate approach is very 
widely applicable, especially in the context of composition, including protocols that follow the “FLS 
trapdoor paradigm” or make use of extractable commitments [Ros04). Given 


this state of affairs, we ask: 
When is it possible to undetectably extract information from a quantum adversary? 


As per the above discussion, if it is possible to undetectably extract from the proof-of-knowledge 
subroutine in the |GMW86] GNI protocol, then the full protocol is zero-knowledge against quantum 
adversaries. 


1.1 This Work 


In this work, we develop new techniques for quantum rewinding in the context of extraction and 
zero-knowledge simulation: 


(1) Our first contribution is to give a quantum analogue of the eztract-and-simulate paradigm used 
in many classical zero-knowledge protocols, in which a simulator uses information extracted 
from multiple protocol transcripts to simulate the verifier’s view. The key difficulty in the 
quantum setting is to extract this information without causing any noticeable disturbance to 
the verifier’s quantum state — beyond the disturbance caused by a single protocol execution. 


While the recent techniques of allow extracting from multiple protocol transcripts, 
a major problem is that their extractor noticeably disturbs the adversary’s state. We revisit 
the approach for extraction and, using several additional ideas, construct an un- 
detectable extractor for a broad class of protocols. Using this extraction technique, we prove 
that the original protocol for graph non-isomorphism and some instantiations of 
the protocol for NP are zero-knowledge against quantum adversaries. 


(2) We next turn our attention to the Goldreich-Kahan zero-knowledge proof system for 
NP. Informally, analyzing the proof system presents different challenges as compared 
to because in the latter protocols, rewinding is used for extraction (after 
which simulation is straight-line), while in the protocol, rewinding is used for the 
simulation step (while extraction is trivial/straight-line). 


Nevertheless, we show that some of our techniques are also applicable in this setting. We 
prove that the |GK96] protocol is zero-knowledge against quantum adversaries. Our simulator 
can be viewed as a natural quantum extension of the classical simulator. 


Previously, |CCY21] used different techniques to show that the [GK96| protocol is ¢-zero- 
knowledge against quantum adversaries, but their simulation strategy cannot achieve negli- 
gible accuracy. 


Isn’t this impossible? As stated above, our results (both (1) and (2)) achieve constant-round 
black-box zero-knowledge with negligible simulation accuracy. Recently, |CCLY21) showed that 


there do not exist black-box expected quantum polynomial time (EQPT) simulators for constant- 
round protocols for any language L ¢ BQP. The source of the disconnect between our results and 
CCLY 21] is an ambiguity in the definition of EQPT. This brings us to our final contribution. 


(3) We formally study the notion of expected runtime for quantum machines and formulate a 
model of expected quantum polynomial time simulation that avoids the |CCLY21] impossi- 
bility result. 


We now discuss these contributions in more detail. To avoid confusion about the formal state- 
ments of (1) and (2), we begin by describing (3). 


1.2 Coherent-Runtime Expected Quantum Polynomial Time 


While do not formally define EQPTH implicit in their result is the following computa- 
tional model, which we call measured-runtime EQPT (EQPTm). In this model, a computation on 
input |~) , is the following process, for a fixed “transition” unitary Us (corresponding to a quantum 
Turing machine transition function ô) and time bound T = exp 


1. Initialize a fresh memory/work register W to |0T}ẹ and a designated “halt” qubit Q to |0}; 
2. Repeat for at most T steps: 

(a) measure Q and halt if it is 1; 

(b) apply Us to A9 Q8 W. 


The result of the computation is the residual state on A once the computation has halted. We say 
that a computation is EQPT,, if for all states |Y) 4, the expected running time of this computation 
is poly(A). Using this model, we can give a more precise formulation of the theorem: 
black-box EQPT,, zero-knowledge simulators for constant-round protocols do not exist. The key 
feature of the EQPT,,, model that enables the result is that the runtime is measured. 

In this work, we consider a different computational model for EQPT simulation called coherent- 
runtime EQPT (EQPT,). In our model, simulators have the ability to run EQPT,, procedures 
coherently — which yields a superposition over computations with different runtimes — and then 
later uncompute the runtime by running the same computation in reverse. 

Our notion of EQPT, (see [Definition 9.3) captures (as a special case) computations of the form 
depicted in [Fig. Ton an input |$} y, where the result of the computation is the residual state on ¥. 
In[Fig. 1| Cy, C2, C3 are arbitrary polynomial-size quantum circuits and U is a unitary that coher- 
ently implements an EQPTm computation |] In slightly more detail, any EQPT,, computation with 
transition unitary Us and runtime bound T can be expressed as a unitary circuit U = Vr- -- VV 
where each V; consists of two steps: (1) CNOT the halt qubit onto a register 6;, and then (2) apply 
Us controlled on B; = 0. The unitary U acts on A@ Q 8 W 8 B where B := B1 ®--- ® Br. While 


?When defining quantum zero-knowledge simulation, Page 12] requires that the simulator is a quantum 
Turing machine with expected polynomial runtime, and refers to (which uses the definition of a 
quantum Turing machine) for the quantum Turing machine model. However, as we discuss in [Section 2.1] 
restricts quantum Turing machines to have a fixed running time (see Def 3.11]) in order to avoid difficult-to- 
resolve subtleties about quantum Turing machines with variable running time [Oza98b]. 

3The exponential time bound is simply for convenience; by Markov’s inequality, for any expected polynomial time 
computation truncating the computation after an exponential number of steps has only a negligible effect on the 
output state. 

“Our actual definition is for uniform computation, so (U, C1, C2, C3) will have a uniform description. 


our full definition of EQPT, is more general, all the simulators we give can be written in the form 
of In|Fig. 1| the input register is of the form V = 4 Q Xz where Xz is isomorphic to A. 


Figure 1: An example of an EQPT, circuit. 


We discuss and motivate the definition of EQPT, in detail in [Section 2.1} For now, we note two 
key properties of the model. First, the ability to apply Ut is what enables us to circumvent the 
impossibility for EQPT,,,. Second, we show a result analogous to the statement that any 
expected classical polynomial time computation can be truncated to fized polynomial-time with 
small error. 


Lemma 1.1 (informal, see|Claim 9.4). Any EQPT. computation can be approximated with € accu- 
racy by a quantum circuit of size poly(A, 1/e). 


Importantly, this lemma ensures that EQPT, computations cannot break post-quantum poly- 
nomial hardness assumptions (unless the assumptions are false). We also note that this lemma 
implies that black-box zero-knowledge with EQPT, simulation implies ¢-zero-knowledge with strict 
quantum polynomial time simulation Ë 


What does this mean for post-quantum zero knowledge? Since the introduction of zero- 
knowledge protocols |GMR85], expected polynomial-time simulation has been the de facto model 
for classical zero knowledge. Although expected polynomial-time simulators cannot actually be run 
“in real life” (to negligible accuracy), the security notion captures negligible accuracy simulation in 
a computational model that cannot break polynomial hardness assumptions. Moreover, since 
rules out strict polynomial-time simulation for constant-round protocols, expected polynomial-time 
simulation captures the strongest!) provable zero-knowledge properties of many fundamental pro- 
tocols such as quadratic non-residuosity |GMR85], graph non-isomorphism |GMW86], Goldreich- 
Kahan [GK96], and Feige-Shamir [FS90}. 

The combination of our positive results and the negative results transports this 
state of affairs entirely to the post-quantum setting. In particular, the conclusion we draw from 
the negative result is that one must go beyond the EQPT m model in order to find the right 
quantum analogue of classical expected polynomial-time zero knowledge simulation. We propose 
EQPT, to be that quantum analogue. 


5We also note that all of our simulators can be truncated to run in time poly(A) - 1/e and achieve e-ZK, matching 
the e-dependence of the classical simulator. 

°Other models of efficient simulation have been proposed (in the classical setting), but they are 
relaxations of expected polynomial time simulation. It should be possible to define similar relaxations in the quantum 
setting, but we focus on obtaining an analogue to “standard” expected polynomial time simulation. 


With this discussion in mind, we proceed to describe our results on post-quantum zero-knowledge 
and extraction in more detail. 


1.3 Results on Zero Knowledge 


Our main results regarding post-quantum zero knowledge are as follows. First, we show that the 
xMW86] graph non-isomorphism protocol is zero knowledge against quantum verifiers. 


Theorem 1.2. The [GMWS6] 4-message proof system for graph non-isomorphism is a post-quantum 
statistical zero knowledge proof system. The zero-knowledge simulator is black-box and runs in 
EQPT,. 


The |GMW86] GNI protocol follows a somewhat general template using instance-dependent 
commitments IMV03}; we believe should extend to other instantia- 
tions of this paradigm (e.g. for lattice problems). 

With some additional work, we use similar techniques to show how to instantiate the “extract- 
and-simulate” paradigm of Feige-Shamir in the post-quantum setting. 


Theorem 1.3. Assuming super-polynomially secure non-interactive commitments, a particular in- 
stantiation of the [FS90] 4-message argument system for NP is (sound and) zero-knowledge against 
quantum verifiers. The zero-knowledge simulator is black-box and runs in EQPT,. 


Finally, using a different approach, we show that the Goldreich-Kahan |GK96] zero-knowledge 
proof system remains ZK against quantum adversaries. 


Theorem 1.4. When instantiated using a collapse-binding and statistically-hiding commitment 
scheme, the protocol is zero-knowledge with a black-box EQPT, simulator. 


As a bonus, the simulator we construct in [Theorem 1.4] bears a strong resemblance to the 
classical Goldreich-Kahan simulator, giving a clean conceptual understanding of constant-round 
zero knowledge in the quantum setting. 


1.4 Results on Extraction 


As alluded to in the introduction, (Theorem 1.2] and {Theorem 1.3] are proved using new results on 
post-quantum extraction. We achieve “undetectable extraction” under the following definition of a 
state-preserving proof of knowledgel| 


Definition 1.5. An interactive protocol II is defined to be a state-preserving argument (resp. proof) 
of knowledge if there exists an extractor Ext with the following properties: 


e Syntax: For any quantum algorithm P* and auxiliary state |Y), Ext?” I) outputs a protocol 
transcript 7, prover state |y’), and witness w. 


e Extraction Efficiency: If P* is a QPT algorithm, E?*“):!” runs in expected quantum 
polynomial time (EQPT,). 


"This is a quantum analogue of witness-extended emulation [BGO02]. Our definition is also similar to a definition 
appearing in |ACL21), although they only consider the setting of statistical state preservation. 


e Extraction Correctness: the probability that 7 is an accepting transcript but w is an 
invalid NP witness is negligible. 


e State-Preserving: the pair (7, |’)) is computationally (resp. statistically) indistinguishable 
from a transcript-state pair (7*, |7)*)) obtained through an honest one-time interaction with 
P*(-, |w)) (where |*) is the prover’s residual state). 


Proofs/arguments of knowledge are typically used (rather than just sending an NP witness) to 
achieve either succinctness or security against the verifier (e.g., witness indistinguishability) 
[FS90). We show that standard 3- and 4-message protocols in both of these settings are 
state-preserving proofs/arguments of knowledge. 


Theorem 1.6 (State-preserving succinct arguments). Assuming collapsing hash functions exist, 
there exists a 4-message public-coin state-preserving succinct argument of knowledge for NP. 


For witness indistinguishability (WI), we have three related constructions achieving slightly 
different properties under different computational assumptions. 


Theorem 1.7 (State-preserving WI arguments). Assuming collapsing hash functions or super- 
polynomially secure one-way functions, there exists a 4-message public-coin state-preserving witness- 
indistinguishable argument (in the case of collapsing)/proof (in the case of OWFs) of knowledge. 
Assuming super-polynomially secure non-interactive commitments, there exists a 3-message PoK 
achieving the same properties. 


In fact, as we will explain in the technical overview, we give explicit conditions under which 
any proof/argument of knowledge is also state-preserving. 

One special case of that we would like to highlight is that of extractable com- 
mitments [PWO09]}. An extractable commitment scheme ExtCom is a commitment scheme 
with the property that a committed message m can be extracted given black-box access to an 
adversarial sender (provided that the adversary is sufficiently convincing). Analogously to the 
setting of proofs-of-knowledge, we consider “state-preserving” extractable commitments (see, e.g., 
[BCKM21}), in which the extractor must simulate the entire view of the adversarial 
committer in addition to extracting the message. This variant of extractable commitments is quite 
natural; for example, it is exactly the property necessary to prove the post-quantum security of 
the zero-knowledge proof system for NP. An immediate corollary of [Theorem 1.7]is a new 


construction of state-preserving extractable commitments. 


Corollary 1.8 (Extractable commitments). Assuming super-polynomially secure non-interactive 
commitments, there exists a 3-message public-coin post-quantum statistically-binding extractable 
commitment scheme. Assuming super-polynomially secure one-way functions, there exists a 4- 
message scheme with the same properties. Finally, assuming (polynomially secure) collapsing hash 
functions, there exists a 4-message public-coin collapse-binding extractable commitment scheme. 


We leave open the problem of using these techniques to achieve a statistically-binding ex- 
tractable commitment scheme from polynomial assumptions. 

More generally, we expect our state-preserving extraction results to be useful for future appli- 
cations, both in the context of zero-knowledge and beyond. 


2 Technical Overview 


In this section, we describe our techniques for proving our results on state-preserving extrac- 
tion (Theorems 1.6] and [.7) and post-quantum zero knowledge (Theorem 1.2} [Theorem 1.3] and 
Theorem 1.4). Finally, we discuss related work in|Section 2.5 


2.1 Defining Expected Quantum Polynomial Time Simulation 


In order to clearly present our results on zero knowledge, we begin with a detailed discussion of 
our model of expected quantum polynomial time simulation and how it relates to the |CCLY21 
impossibility result. 


Why is EQPT simulation hard to define? Recall from that rules 
out zero-knowledge simulators in a class of computations that we formalize as measured-runtime 
expected quantum polynomial-time (EQPT m). An EQPT,,, computation takes as input a state |Y) 4, 
initializes a large ancilla/workspace register |0)y) g and state register |go) gq (where |qo) denotes the 
initial state of a quantum Turing machine), then repeatedly applies some fixed transition unitary 
Us to A®WSBSQ. After each application of Us, Q is measured (applying some (II, I — Hy)) 
to determine if the computation is in the “halt state” |qf); the computation halts if the outcome 
of this measurement is 1. A computation is EQPT,,, if the expected number of steps before halting 
is polynomial for all inputs |} 4. 

Our EQPT,, definition is based on the definition of a quantum Turing machine (QTM) given 
in the seminal work of Deutsch (though we use a halt state in place of Deutsch’s 
halt qubit). Note that the operation of a QTM is unitary except for the measurement of whether 
the machine has halted. The validity of this “halting scheme” was the subject of some debate in a 
sequence of later works [Oza98b)}. 

While the particulars of this debate are not so important here, there was a clear message: the 
reversibility of a QTM implies that the runtime of any QTM computation is always effectively 
measured, even if there is no explicit monitoring of the halt state. Intuitively, this is because a 
QTM that has halted must, when reversed, know when to “un-halt”; this requires counting the 
number of computation steps since the machine halted. 

It was observed by that this prevents “useful interference” between branches of a QTM 
computation with different runtimes. That is, each branch of the computation is entangled with a 
description of its runtime, which prevents the branches from interfering with one another. Because 
interference is crucial in the design of efficient quantum algorithms, this is considered a major 
drawback of the QTM model. The now-standard definitions of efficient quantum computation 
deliberately avoid this problem by restricting quantum Turing machines to have 
a fixed runtime; these QTMs are effectively uniform quantum circuit families. 

This phenomenon underpins the impossibility result. Both in the classical 
and quantum settings, there do not exist strict polynomial time black-box simulators 
for constant-round protocols. It follows that such a simulator must have a variable runtime. By 
the observation of [LP98], simulation branches with different runtimes do not interfere. 
leverage this by designing an adversary which can detect this absence of interference. 


Can we avoid measuring the runtime? The above discussion suggests that the EQPT,,, model 
(i.e., quantum Turing machines in Deutsch’s model with expected polynomial runtime) may 


not capture arbitrary efficient quantum computation. In particular, we ask whether it is possible 
to formalize a model in which the runtime is not measured. Such a model could potentially avoid 
the impossibility result. 

Our solution is to formalize computations in which the runtime of an EQPT,, subcomputation 
is left in superposition and can later be uncomputed. To describe our formalism in more detail, we 
first briefly discuss coherent computation. 


Coherent computation. It is well known that any quantum operation ® on a state |) can be 
realized in three steps: (1) prepare some ancilla qubits in a fixed state |0); (2) apply a unitary 
operation Us to both |w) and the ancilla; (3) discard (trace out) the ancilla. We refer to Us as a 
unitary dilation of ®. Us is not uniquely determined by ®, but all such dilations are related by an 
isometry acting only on the ancilla system. 

Since an EQPT,,, computation is a quantum operation, it has a unitary dilation. In fact, we can 
choose a unitary dilation with a natural explicit form that we call a “coherent implementation”, as 


shown in 


0) g; 


10) g, 


10) 31 


Figure 2: A coherent implementation U (unitary dilation) of a quantum Turing machine with 
transition function 6. The open circles indicate that the ith Us is applied when B; contains |0}. 


See [Section 9.1}for more details. 


Note that since we think of T as being exponentially large, the unitary U (corresponding 
to[Fig. 2) is of exponential size. However, as long as the ancilla W @ B (where B := B1 8 --- ® Br) 
is initialized to zero and Q is initialized to |qo), the effect of U on A is identical to the original 
EQPT,,, computation. Indeed, the only difference from the original computation is that the runtime 
is written (in unary) on B and left in superposition. This means, in particular, that circuits making 
a single black-box query to a coherent implementation U of an EQPT,, computation (and that 
cannot otherwise access 6) can only perform EQPT,,, computations. 


Our formalism: coherent-runtime EQPT. The advantage of moving to coherent implemen- 
tations is that, unlike the original computation, U has an inverse Ut. A coherent-runtime EQPT 
computation is allowed to invoke both U and Ut in a restricted way, as we specify next. 


Definition 2.1 (Coherent-runtime EQPT (informal)). A computation on a register ¥ is coherent- 
runtime EQPT (EQPT,) if it can be implemented by a procedure that can perform the following 
operations any polynomial number of times: 
(1) apply any polynomial-size quantum circuit to ¥; 
(2) initialize fresh ancillas WO @ B® to zero and Q® to qe?) and apply a coherent implemen- 
tation U; of an EQPT,, computation to WY @ B® g QO anda subregister of X; 
(3) apply U] to ancillas W®) @ B® @ QM and a subregister of X, then discard (WM, B®, QM). 
For each U;, this operation may occur at any time after performing [(2)] with respect to Uj. 
The output of the computation is the residual state on X. 


Note that, because all unitary dilations are equivalent up to local isometry, the map computed 
by an EQPT, computation is independent of the particular implementation of U;. 


What is the runtime of an EQPT, computation? While procedures performing only [(1)|and 
[(2)] are clearly efficient (they are EQPT,,,), the efficiency of performing u! in[(3)]is less immediate. 
We analyze this in two ways: 


e We prove (Claim 9.4) that any EQPT, computation has strict polynomial-time approxima- 
tions (obtained by simultaneously truncating each U; and u! to the same fixed runtime). 
This tells us that EQPT, algorithms do not implement “inefficient” computations. 


e We give a natural interpretation of “expected runtime” under which the expected runtime of 
UT (as applied in|(3)) is equal to the expected runtime of U. 


Together, these give us a motivated definition of the expected runtime of an EQPT, computation. 

Claim 9.4] is proved in [Section 9] In this overview, we focus on the expected runtime interpre- 
tation. For simplicity, we consider the basic form of EQPT, computation depicted in we 
assume in addition that C1 = C3 =I and that the computation always halts in at most T steps. 

Let U be the truncation of U to just after the t-th controlled application of Us. Observe that 
after applying U followed by C2 on input state |@), the state of the system can be described as a 
superposition over t of the applications of the U™: 


T 


T 
m= > ae [0°17 la lwar = aea r loa Ola 
t=0 t=0 


for some states |¢;) and a; E€ C where |ar|? is the probability that the EQPT,, computation halts 
in t steps. The latter equality holds because if the computation halts at step t, the effect of the 
last T — t steps of U is only to flip By41,...,87 from |0) to |1) (and C2 does not act on B). 

We emphasize that since U is a coherent implementation of an EQPT,,, computation, we know 
that 

S lal? -t = poly(A), 
t 

as the left-hand side is equal to the expected runtime of U as an EQPTm computation. 

Now, for any state |Y) on W & ¥, we can also express an application of Ut to B2 QQWAX 
entirely in terms of the unitary U“), where t is the contents of the B register. Specifically, we have 


us (pete lafo p) = (Uy 0") , lafo lb) 


because the effect of the first T — t steps of Ut on this state is only to flip By.1,...,B7 from |1) to 
|0}. As a result, the final state of the system (after the entire EQPT, computation) is 


T T 
Ut IT) =X aU (1 @ C2)U 017), |b) =Y ae (U1 (T. @ C2)U© 07) g 10). 
t=0 t=0 


We can interpret this to mean that within the “branch” of the superposition where U ran in time 
t, the running time of Ut is also t, even if an arbitrary computation C2 has been applied to Æ 
in between the applications of U and Ut. This gives an intuitive explanation for how EQPT, 
computations are efficient: they simply compute an (a;),;-superposition over branches in which U 
and Ut together ran for 2t steps, such that the expectation >, |a;|?-¢ is polynomial! Curiously, the 
LP98] reversibility issue indicates that such a computation cannot be implemented by an EQPT,,, 
quantum Turing machine, which is what necessitates our new EQPT, definition. 

With all of this as motivation, we define the expected running time of an EQPT, computation of 
the form (U, C1 = I, C2, C3 = I) to be the appropriate linear combination of the branch runtimes, 
which is 

os |a,|? - (2t + time(C2)) = 2 - time(U) + time(C2), 
t 


where time(U) is the expected running time of U as an EQPT,, computation and time(C2) is the 
(strict) running time of C. [Claim 9.4| (whose proof makes use of this analysis) provides additional 
justification for this definition. 


Extension to multiple U;. Everything we have discussed so far extends to the general case of 
However, we emphasize that the above analysis crucially relies on the ancilla being 
well-formed. This is the reason that EQPT, algorithms have restricted access to Uj, UJ : removing 
any of these restrictions could lead to applying these operations on malformed ancillas. Indeed, one 
can show that allowing an algorithm to apply U;, UJ ,U; to the same ancilla register would enable 
it to perform exponential-time computations. 


Having established our computational model for simulation/extraction, we now give a detailed 
overview of our simulation and extraction techniques. 


2.2 Post-Quantum ZK for |GMW86] and |FS90| from Guaranteed Extraction 


The central idea behind our proofs of post-quantum ZK for the |GMWS86] GNI protocol 
and a variant of the protocol for NP is state-preserving extraction (Definition 1.5). 
Given a state-preserving extractor of the appropriate “one-out-of-two graph isomorphism” subrou- 
tine, proving the post-quantum ZK for the GNI protocol follows easily, 
as simulating a cheating verifier immediately reduces to performing a state-preserving extraction 
of the verifier’s (uniquely determined) bit b such that H ~ Gy. Proving post-quantum ZK for 
the protocol is more complicated because the Feige-Shamir protocol is a 
concurrent composition of two different protocols; we refer the reader to [Section 12] for details on 
its analysis. 

In this subsection, we show that state-preserving extraction reduces to a related task that we 
call guaranteed extraction; achieving the latter will be the focus of 
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Consider a 3-messagd?] public coin classical proof of knowledge (Ps, Vs) satisfying special sound- 
ness!] for any prover first message a and any pair of accepting transcripts (a,r, z), (a,r', 2’) on 
different challenges r # r’, it is possible to extract a witness from (a,r,z,7r’,z’). For any such 
protocol, in the classical setting, it is possible to extract a witness from a cheating prover P* as 
follows: 


e Given a cheating prover P*, the extractor first generates a single transcript (a,r, z) by running 
P* to obtain a, and then running it on a random r to get z. If the transcript is rejecting, the 
extractor gives up. 


e Ifthe transcript is accepting, the extractor rewinds P* to the point after a was sent, and then 
repeatedly sends i.i.d. challenges rj, r2,... until P* produces another accepting transcript. 


As long as the prover has significantly greater than 2~* probability of convincing the verifier, the 
second accepting transcript (a, r’, z’) produced will satisfy r 4 r’ with all but negligible probability, 
and thus a witness can be computed. In other words, this extractor guarantees (with all but 
negligible probability) that a witness is extracted conditioned on an initial accepting execution. 
Moreover, for any efficient P*, the expected runtime of this procedure is poly(A), since if P* (with 
some fixed random coins) is convincing with probability p, the expected number of rewinds in this 
procedure is + and thus the overall expected number of rewinds is p- + = 1. 

In the quantum setting, one might hope for a similar “guaranteed” extractor, but prior works 
fail to achieve this. Indeed, Page 32] explicitly asks whether something 
of this nature is possible. 

Our first idea is to abstractly define a quantum analogue of this “guaranteed” extraction prop- 
erty and show that under certain conditions, it generically implies state-preserving extraction. Since 
the classical problem can only be solved in expected polynomial time, there is again an ambiguity in 
what the quantum efficiency notion should be. However, it turns out that there is no [CCLY21]-type 
impossibility result for the problem of guaranteed extraction, so we demand the stronger EQPT m 
extraction efficiency notion. 


Definition 2.2. (Ps, Vs) is a post-quantum proof of knowledge with guaranteed extraction if it 
has an extractor Extract’ of the following form. 


e Extract?” first runs the cheating prover P* to generate a (classical) first message a. 

e Extract’ runs P* coherently on the superposition YS reRzlr) of all challenges to obtain a 
superposition )7,., Qr,z |r, z} over challenge-response D 

e Extract?” then computes (in superposition) the verifier’s decision V(x,a,r,z) and measures 
it. If the measurement outcome is 0, the extractor gives up. 

e If the measurement outcome is 1, run some quantum procedure FindWitness 
a string w. 


P* that outputs 


We require that the following two properties hold. 


SThroughout our discussion of proofs of knowledge, we focus on the case of 3- and 4-message protocols. We 
sometimes ignore the first verifier message vk in a 4-message protocol for notational convenience. 

°This particular special soundness assumption is also for convenience; we later describe generalizations of special 
soundness for which we have results. 

In general, the response z will be entangled with the prover’s state; here we suppress this dependence. 


11 


e Correctness (guaranteed extraction): The probability that the initial measurement re- 
turns 1 but the output witness w is invalid is negl(A). 
e Efficiency: For any QPT P*, the procedure Extract?” is in EQPT,,. 


We claim that under suitable conditions, this kind of guaranteed extraction generically implies 
state-preserving extraction, where the extractor will be EQPT, rather than EQPT,,. We describe 
the simplest example of these conditions: when the NP language itself is in UP (i.e. witnesses are 
unique). 


Lemma 2.3 (see [Lemma 10.3). If (Ps, Vs) is a post-quantum proof of knowledge with guaran- 
teed extraction for a language with unique witnesses, then (Ps, Vs) is a state-preserving proof of 
knowledge with EQPT, extraction. 


Lemma 2.3]can be extended to higher generality. For example, informally: 
1. We can also extract “partial witnesses” that are uniquely determined by the instance z. 


2. We can extract undetectably when the first message a “binds” the prover to a single witness 
in the sense that the guaranteed extractor will only output this one witness (even if many 
others exist). 


3. This can also be extended to certain protocols whose first messages are informally “collapse- 


binding” |Unr16b] to the witness. 


These generalizations are formalized in [Section 10] using the notion of a “witness-binding pro- 
tocol” (Definition 10.2). In this overview, we give a proof for the “unique witness” setting. 


Proof sketch. Let Extract?” be a post-quantum guaranteed extractor with associated subroutine 
FindWitness’. We will present an EQPT, extractor Extract) that has the form of an EQPT, 
computation (see[Fig. 1) where the unitary U is a coherent implementation of FindWitness?’ . 


Remark 2.4. This is an oversimplification of our real state-preserving extractor. In particular, 
Extract?” as described in this overview does not fit the EQPT, model because FindWitness’ is not 
necessarily an EQPT,, computation — its running time is only expected polynomial when viewed as a 
subroutine of Extract’, which runs FindWitness’” with some probability (which may be negligible) 
and moreover, only runs it on inputs consistent with the verifier decision V(a,a,r,z) = 1. In 
[Section 10, we formally demonstrate that our state-preserving extractor is EQPT,. by showing that 
it can be written in the form of |Fig. 1] where the unitary U is a coherent implementation of the 
EQPT,,, procedure Extract”. 


_P* 


Our (simplified) EQPT, extractor Extract is defined as follows. 


. e,° . * 
e Given P*, generate a first message a and superposition `, , Qr,z |r, z} as in Extract’. 


e Compute the verifier’s decision bit V(z,a,r, z) in superposition and then measure it. If the 
measurement outcome is 0, measure r, z and terminate, outputting (a,r, z, w = L) along with 
the current prover state. 


e If the measurement outcome is 1, let |Y) denote the current prover state. For simplicity, 
assume that |7),, includes the superposition over (r,z) and space to write the extracted 
witness. The next steps are: 
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— Run U on input |?) 8 |0)g w- 

— Measure the sub-register of H containing the witness w. 

— Run Ut, 

— Measure the sub-register of H containing the current transcript r, z. 


— Return (a,r,z,w) and the residual prover state (i.e., the rest of H). 


Ś z z * 
Extraction correctness follows from the correctness of FindWitness?*. Moreover, one can see 


=———P* , . ciples 
that Extract is state-preserving by considering two cases: 


e Case 1: The initial measurement returns 0. In this case, the transcript (r, z) is immediately 
measured, and the resulting (sub-normalized) state exactly matches the component of the 
post-interaction P* view corresponding to when the verifier rejects. 


e Case 2: The initial measurement returns 1. In this case, the procedure FindWitness’ would 
output a valid witness with probability 1 — negl, so the output register of U (|Y) 4 8 |0)g w) 
contains a valid witness with probability 1 — negl. Since we assumed that the language L 
is in UP, this witness register is actually deterministic, so measuring it is computationally 
(even statistically!) undetectable, and hence after applying UT the resulting state |") is 
computationally indistinguishable from |W). Thus, the output of the extractor the measured 
witness w along with a view that is computationally indistinguishable from the view of P* 
corresponding to when the verifier accepts. 


This completes the proof sketch. O 


How do we apply We now describe how to instantiate X-protocols so that the 
reduction in [Lemma 2.3] applies (see [Section 10.2). 

First, we note that the un-repeated variants of standard proofs of knowledge 
are “witness-binding” in the informal sense of the generalization (2); an extractor run on such 
protocols will only output a witness consistent with the commitment string a. However, since 
the un-repeated protocols only have constant (or worse) soundness error, there is no guaranteed 
extraction procedure for them (even in the classical setting). 

In order to obtain negligible soundness error, these protocols are typically repeated in parallel; 
in this case, we do show guaranteed extraction procedures, but the protocols lose the witness- 
binding property (2). This is because each “slot” of the parallel repetition may be consistent with 
a different witness, and the extractor has no clear way of outputting a canonical one. In this case, 
measuring the witness potentially disturbs the prover’s state by collapsing it to be consistent with 
the measured witness, which would not happen in the honest execution. 

We resolve this issue using commit-and-prove. Given a generic /-protocol for which we have 
a guaranteed extractor, we consider a modified protocol in which the prover sends a (collapsing 
or statistically binding) commitment com = Com(w) to its NP-witness along with a -protocol 


proof of knowledge of an opening of com to a valid NP-witness. When the extractor Extract. 

of [Lemma 2.3] is applied to this protocol composition, the procedure FindWitness’ (which is run 
coherently as U) actually obtains both an NP witness w and an opening of com to w. Therefore, the 
collapsing property of Com says that w can be measured undetectably. In other words, the commit- 
and-prove compiler enforces a computational uniqueness property sufficient for Lemma 2.3]to apply. 
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It also turns out that the (original, unmodified) |GMW86] graph-nonisomorphism protocol can be 
viewed as using this commit-and-prove paradigm |+ which is one way to understand the proof of 

Finally, we remark that this commit-and-prove compiler is the cause of the super-polynomial 
assumptions in and [1.7] This is because in order to show that a commit-and-prove 
protocol remains witness-indistinguishable, it must be argued that the proof of knowledge does 
not compromise the hiding of Com, which we only know how to argue by simulating the proof of 
knowledge in superpolynomial time (and assuming that Com is superpolynomially secure). This 
issue does not arise when Com is statistically hiding and the -protocol is statistically witness- 
indistinguishable. 


2.3 Achieving Guaranteed Extraction 


So far, we have reduced from state-preserving extraction to the problem of guaranteed extraction. 
We now describe how we achieve guaranteed extraction for a wide class of U-protocols. Informally, 
we require that the protocol satisfies two important properties in order to perform guaranteed 
extraction: 


e Collapsing: Prover responses can be measured undetectably provided that they are valid. 


e k-special soundness: It is possible to obtain a witness given k accepting protocol transcripts 
(4,11, 21,---,1k, Zk) With distinct r; (for the same first prover message a). 


Both of these restrictions can be relaxed substantially (see [Sections 3.5] B] and [8.4] for more 


details), but we focus on this case for the technical overview. 


Theorem 2.5 (See [Theorem 8.2). Any public-coin interactive argument satisfying collapsing and 
k-special soundness is a post-quantum proof of knowledge with guaranteed extraction (in EQPT m). 


We consider [Theorem 2.5|to be an interesting result in its own right and expect it to be useful 
in future work. We now describe our proof of {Theorem 2.5] over the course of several steps: 


e We begin by describing an abstract template that generalizes the extraction proce- 
dure in [Section 2.3.1] In this template, the extractor repeatedly (1) queries the adversary on 
ii.d. random challenges and then (2) applies a “repair procedure” to restore the adversary’s 
success probability. 


e In [Section 2.3.2} we describe a natural “first attempt” at guaranteed extraction based on 
the |CMSZ21)| template. 


e We then observe in|Section 2.3.3}]that the entire template is unlikely to achieve guaranteed ex- 
traction in expected polynomial time. Perhaps surprisingly (and unlike the classical setting), 
querying the adversary on i.i.d. challenges appears too slow for this extraction task. 


The verifier sends an instance-dependent commitment of a bit to the prover (which is 
perfectly binding in the proof of ZK) and demonstrates knowledge of the bit and its opening. 

We highlight that the PoK subroutine in the [GMW86] graph non-isomorphism protocol is not collapsing; it is 
only collapsing onto its responses of 0 challenge bits; however, it turns out that this property is still sufficient to 
obtain guaranteed extraction for the subroutine (see [Sections 5.3] and [8.4). 
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e In|Section 2.3.4} we introduce a new extraction template in which the adversary is entangled 
with a superposition of challenges, and the challenge is only measured once the adversary is 
guaranteed to give an accepting response. 


e While this new template is a promising idea, we are still far from achieving guaranteed 
extraction. For the rest of the overview (Sections 2.3.5] to 2.3.7), we outline several technical 
challenges in instantiating this approach, eventually leading to our final extraction procedure 
and analysis. 


2.3.1 An Abstract [CMSZ21| Extraction Template 


recently showed that protocols satisfying collapsing and k-special soundness are post- 
quantum proofs of knowledge. Unlike our setting of guaranteed extraction, the extractor 
Extract?” (x,y) is given as advice an error parameter y and and extracts from cheating provers P* 
(that may have some initial quantum state) that are convincing with probability y* > y. The 
extractor’s success probability is roughly 4. 

At a high level, our abstract template makes use of two core subroutines that we call Estimate 
and Transform. We describe the correctness properties required of Estimate and Transform below, 
and also describe their particular instantiations in [CMSZ21]. 


Jordan’s lemma and singular vector algorithms. Let Ia, Ig be projectors on a Hilbert space 
H with corresponding binary projective measurements A = (II,,I—II,) and B = (IIg,I— Ig). 
Recall that Jordan’s lemma states that H can be decomposed as a direct sum H = @ S; of 
two-dimensional invariant subspaces Sj, where in each Sj, the projectors IIa and Ig act as rank- 
one projectors |vj1)(vj,1| and lw; Xw E The vectors |vj;,;) and |w,1) are also left and right 
singular vectors of Iallg with singular value \/pj, where p; := |(vj1\w;1)/?. This decomposition 
allows us to define on H the projective measurement Jor = (II5°") onto the Jordan subspaces S; 
(i.e., image(II;°") = Sj). For an arbitrary state |), we define the Jordan spectrum of |W) to be the 
distribution of p; induced by Jor. 
We will make use of procedures Estimate, Transform satisfying the following properties. 


e The Jordan subspaces S; are invariant!4] under Estimate’® and Transform’’®. Equivalently, 
Estimate®^B and Transform®® should commute with Jor. This property is important for argu- 
ing about the output behavior of Estimate and Transform on arbitrary states. 


e Estimate®®: on input |S;) € Sj, output p ~ pj; the residual state remains in Sj. 


e Transform’® maps each |v;,1) to |w,,1). We have no requirements on any other state in Sj 


except that it remains in Sj. 


CMSZ21| implement a version of Estimate (following [MW05]) with e accuracy by alternating 
A and B for t = poly(A) /e? steps. The output is p = d/(t—1) where d is the number of occurrences 
of bi = bj41 among the outcomes b1, b2,...,b;. With probability 1— 2%, we have |p — pj| < £. They 


13There will also be one-dimensional subspaces, which we ignore in this overview since they can be viewed as 
“degenerate” two-dimensional subspaces. 

MWe allow for decoherence, so we ask that every element of S; is mapped to a mized state where every component 
is in Sj. 
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(implicitly) implement Transform’® by alternating measurements A and B back and forth until 
B — 1, with an expected running time of O(1/p;) on Sj. 


The Extractor. We now use the abstract procedures (Estimate, Transform) to de- 
scribe (a slightly simplified version of) the extractor. Let |+r)g denote the uniform 
superposition over challenges on register R and let H denote the register containing the prover’s 
state. Let V, = (Ily,,I-—TIly,,) denote a binary projective measurement on H that measures 
whether P* returns a valid response on r. 

The extraction technique makes crucial use of two measurements: the first is U = (Hy, I — Iy), 
where Iy := Iy ® |+rX+R\Iz is the projective measurement of whether the challenge register R is 
uniform. The second is C = (Hc,I— IIc), where Nc := (Mvr, )u ® Ver IrXrlp is the projective 
measurement that runs the prover on the challenge on R and checks whether the prover wins. The 
extraction procedure is described in[Fig. 3] below. 


Figure 3: The |CMSZ21) extractor with generic procedures Estimate, Transform 


1. Generate a first verifier message vk and run P*(vk) > a to obtain a classical first prover 
message a once and for all. Let |y) denote the state of P* after it returns a. 


2. Run Estimate¥-S to accuracy y/4 on |w) |+,), which outputs an estimate p of the ad- 
versary’s success probability and then discard Rİ] abort if p < y/2 (this occurs with 
probability at most 1— y/2). Subtract 7/4 from p so that p represents a reasonable lower 
bound on the success probability. Set an error parameter € = a for the rest of the 
procedure and fix N = Ak/p. 


3. We now want to generate k accepting transcripts. For i from 1 to N: 


(a) Sample a uniformly random challenge r; and apply V,, to the current state |q;). 


(b) If the output is b; = 1, measure the response z. This is (computationally) unde- 
tectable by the protocol’s collapsing property, so we ignore this step for now. 


(c) Let E be a unitary such that applying E to H & W (where W is an appropriate- 

size ancilla initialized to |0),,) and then discarding W is equivalent to running 
Estimate’ for Ap/e? steps on H @ R (where R is initialized to |+p),) and then 
discarding R. 
We repair the success probability by initializing W = |0)y, and then running 
Transform? on H & W where, roughly speaking, D is a projective measurement 
corresponding to the disturbance caused by step (a), and G is a projective measure- 
ment that determines whether the adversary’s success probability is good, meaning 
at least p — €. More precisely: 


« G= (Ilpe, I — Ip e) returns 1 if, after applying E, the estimate is at least p— eH 
e. D= (Ir; 


If TransformP® has not terminated within T calls to D and G, abort (this occurs 
with probability at most O(1/T)). Otherwise, apply E, trace out W, re-initialize 


I—II,,,,) returns 1 if W = |0)), and applying V,, returns b;. 


i? 
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R to |+p) and then run EstimateY© for \p/e? steps to obtain a new probability 
estimate p’. If p' < p—2e, abort. Finally, discard R and re-define p := p’. 


“We assume here that when we run Estimate’’* on a state |¢) € image(IIu), the residual state is in image(IIy). 
Then we are guaranteed that R is unentangled from H, which allows us to discard it. In our eventual construc- 
tion, this assumption is enforced in [Theorem 6.2] 

Tn our actual construction /proof, we replace this call to Estimate (and the additional call at the end of Step 
3c) with a weaker primitive that only computes the threshold instead of fully estimating p. This change makes 
it easier to instantiate the primitive. 


2.3.2 Guaranteed extraction, first attempt 


The |CMSZ21)| algorithm, interpreted in terms of the abstract procedures Estimate, Transform, will 
serve as our initial template for extraction. We now consider whether it can be modified to achieve 
guaranteed extraction. 


Syntactic Changes. The first issues with the extraction procedure are syntactic in 
nature. Namely, we want an extraction procedure that works for any P*, with no a priori lower 
bound y on the success probability of P*. Of course, an extractor Extract” that extracts with 
probability close to 1 given an arbitrary P* is impossible to achieve (imagine a P* with negligible 
success probability), so the game is also changed as described in In terms of the 
template, the change is as follows: 


e After obtaining (a, |q)), measure C on |w) |+pr) and terminate if the outcome is 0. 


e Otherwise, the state is (re-normalized) Ic( |Y) |+)), and the goal is to extract with proba- 
bility 1 — negl. 


Variable-Runtime Estimation. Since we are given no a priori lower bound y on the success 
probability of P*, there is no fixed additive precision € for which the initial Estimate in 
guarantees successful extraction — the initial state |V) |+,) could be concentrated on subspaces 
S; such that pj < £, in which case the estimation procedure almost certainly returns 0. 

To remedy this issue, we define a variable-length variant of Estimate’? with the guarantee that 
for every j and every state in S;, Estimate® returns pj to within constant (factor 2) multiplicative 
accuracy with probability 1—27. With regard to instantiation, we note that the 
implementation of Estimate’? can be modified to be variable-length: simply continue alternating 
I4, Ug until sufficiently many (d = poly(A)) b; = b;41 occur, so that the estimate 4 (where t is 
the number of measurements performed) is reasonably concentrated around its expectation. 

Thus, we begin with the natural idea that [Step 2]should be modified to use this variable-length 
Estimate. We remark that variable-length Estimate is not required in later steps: the output p of 
can be used to set the parameters (e, N) for the rest of the procedure. 

With this modification, our extractor never aborts in [Step 2} but it also no longer runs in strict 
polynomial time. How do we analyze its runtime? First, one can compute that when run on a 
state in S;, the expected running time of this procedure is (up to factors of poly(A)) roughly A 
This might seem concerning, because this expectation could be large (even superpolynomial) if p; 
is very small. However, what we care about is the runtime of Estimate© on the (re-normalized) 


state Ic( |) |+r)). Writing |Y) +r) = 0; a; |v;,1), we see that Ic( |) |+r)) = oj aj yp |wj,1)- 
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To calculate the overall expected runtime, we use the fact that Estimate’ commutes with the 
projective measurement Jor that outputs 7 on each subspace S;. This implies that the expected 
runtime of Estimate on our state is the weighted linear combination of its expected runtime on the 
eigenstates |v; 1), namely 


1 s & of 
= di lyy == =, 
aa oy 


where 7* = ||IIc(|w) |+R))||? is the probability that C — 1 in the initial execution|!9| Thus, the 


overall expected runtime equals y* - oa = 1, so Step 2 of the procedure is efficient! 


Our first attempt. With the changes above, Step 2 of the extraction procedure now has zero 
error and runs in expected polynomial time (EQPT m). 

The other source of non-negligible extraction error from is in the cutoff T imposed 
on Transform?-S, By removing this cutoff, we obtain a procedure that is somewhat closer to the 
goal of guaranteed extraction in expected polynomial time, described in[Fig. 4] below. 


Figure 4: Guaranteed extraction (Attempt 1) 


1. After obtaining (a, |W)), apply C to |Y) |+R) and terminate if the measurement returns 
0. Otherwise, let |) denote the resulting state on H Q R. 


2. Run the variable-length Estimate’’© on |¢), obtaining output p. Divide p by 2 to obtain 
a lower bound on the resulting success probability. Set € = #7 and N = Ak/p. 


3. Run Step 3 of the original |CMSZ21] extractor as in|Fig. 3| with the parameters p, €, N. 
Instead of imposing a time limit T, the procedure Transform?’© is allowed to run until 
completion (G1). 


“To avoid a computation that runs for infinite time, one should at the very least impose an exponential 2% 
time cutoff, which can be shown to incur only a 2~* correctness error. 


2.3.3 Problem: Step 3 is not expected poly-time. 


Unfortunately, the “first attempt” above does not satisfy[Definition 2.2] The issue lies in its runtime: 
we argued before that over the randomness of Extract?” , Step 2 runs in expected polynomial time. 
However, we did not analyze Step 3, which is the main loop for generating transcripts. Here is a 
rough estimate for its runtime. 

Recall that Step 3 loops the following steps for each i = 1,...,Ak/p: 


e Run the prover P* on a random challenge r;. This takes a fixed poly(A) amount of time. 


e Then, regardless of whether P* was successful, the residual prover state |¢;) must be repaired 
to have success probability ~% p. 


It turns out that as currently written, the expected runtime of the repair step is (up to poly(A) 
factors) equal to the runtime of a fixed-length Estimate procedure with precision ~ p? (this ensures 


15One way to see this is to notice that applying Jor after running Estimate’ clearly cannot affect the runtime of 
Estimate’. Then Jor can be commuted to occur before Estimate”’®. 
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that after 1/p repair steps, the total success probability loss must be at most p). Moreover, 
this runtime is intuitively necessary for any possible repair procedure, since repairing the success 
probability should be at least as hard as computing whether it is above the acceptable threshold. 

In our setting, the estimation procedure requires 1/p? time to obtain a 
p’-accurate estimate in the relevant parameter regimel!4 Since Step 3 performs this loop z times 
(omitting the Ak factor), the total runtime will be at least F This is too long for the “conditioning” 
of Step 1 to save us: if the initial state at the beginning of Step 1 is |W) |+r) € Sj, the expected 
runtime of Step 3 is pj- p = 7 which can be arbitrarily large (when p; is small). 


Idea: Use a faster Estimate? Given how we have phrased the extractor in terms of abstract 
(Estimate, Transform) algorithms, a natural idea for improving the runtime is to use an imple- 
mentation of the abstract Estimate algorithm that is faster than the [MW05]-based one used in 
[CMSZ21]. Indeed, if we use the procedure described in to implement Estimate’’©, we 
obtain a quadratic speedup: the runtime of Estimate’ in Step 3c can be improved from > to z. 

This speedup will be relevant to our eventual solution, but it does not resolve the problem. 
The back-of-the envelope calculation now just says that the expected runtime of Step 3 on a state 


lY) |+r) € S; is p; TE = p; which is still unbounded. 


So are we doomed? Indeed, this runtime calculation seems problematic for the entire |CMSZ21 
template that we abstracted, by the following reasoning: 


e On a state with initial estimate p, each choice of r; will only produce an accepting transcript 
with probability ~ p, so we must try ~ k/p choices of i.i.d. r; to obtain k accepting transcripts. 


e Therefore, as long as the repair step takes super-constant time (as a function of 1/p), the 
overall extraction procedure will take too long. 


This seems to indicate a dead end for extractors that follow the standard rewinding template 
of repeatedly running P* on random r to obtain accepting transcripts. 


2.3.4 Solution: A New Rewinding Template 


We solve our unbounded runtime issue by abandoning “classical” rewinding, in the following sense: 
unlike prior extraction procedures [CMSZ21], our extractor will not follow the standard 
approach of obtaining transcripts by feeding uniformly random r; to P*. Instead, we will generate 
accepting transcripts (r;, zi) via an inherently quantum procedure so that every generated transcript 
is accepting (as opposed to only a p fraction of them). 

We accomplish this by using the procedure Transform, which was previously only used for 
state repair, to generate the transcripts. Consider a prover state |w;) at the beginning of Step 3. 
By definition, |y;) |+2) € image(IIy), so applying Transform4*S to |;i) +p) produces a state in 
image(IIc). Now if the challenge register R is measured (obtaining a string r;), the residual prover 
state is guaranteed to produce an accepting response on r! 


16 As written in [CMSZ21], the estimation procedure runs in 1/p* time, but a factor of p can be saved because 
(roughly speaking) the estimate only needs to achieve p? accuracy when p; is close to p. 
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Moreover, the extraction procedure can afford to run TransformY©: since |;) |p) has been 


constructed to lie almost entirely in subspaces S; such that p; < p — £, the expected running time 
of Transform¥© can be shown to be roughly" z. 

This gives us a potential new template for extraction: we modify the main loop (Step 3) as in 
Fig. 5 


Figure 5: Our new extraction template 


1. After obtaining (a, |W)), apply C to |Y) |+r) and terminate if the measurement returns 
0. Otherwise, let |ġ)} denote the resulting state on H ® R. 


2. Run the variable-length Estimate™C on |¢), obtaining output p. Divide p by 2 to obtain 


a lower bound on the resulting success probability. Set € = #. 


3. For i from 1 to k: 


(a) Given current prover state |i), apply Transform¥*© to |y) +r). Call the resulting 
state |c). 


(b) Obtain a guaranteed accepting transcript (r;, zi) by measuring the R register of |¢c) 
and then running P* on r;. As before, measuring z; is computationally undetectable. 


(c) Run the Repair Step (3c) as in by calling Transform?’ and re-estimating p. 


We emphasize two crucial efficiency gains from this new extraction template: 


e As already mentioned, the main loop now has k steps instead of k/p, since each transcript is 
now guaranteed to be accepting. 


e Since only k repair operations are now required, the error parameter e£ for Ilp, can be set to 


x p instead of = p?. 


Correctness Analysis. We remark that even the correctness of this new extraction procedure 
is unclear. In the case of k-special sound protocols, we need the extraction procedure to produce k 
accepting transcripts with distinct r;; previously, this was guaranteed because each r; was sampled 
i.i.d., so (w.h.p.) no pair of them coincide. Here, r; is not uniformly random — it has been sampled 
by measuring the R register of some state in IIc. 

In order to analyze the behavior of this extractor, it is important to understand the state |¢éc) 
obtained after applying Transform¥-©. Of course, we have an explicit representation > j Xj Pj |w;,1) 
for it, but it is not clear a priori how this helps. 

To prove correctness, we analyze the state |¢c) using what we call the Pseudoinverse Lemma 
(Lemma 7.1), which states that |¢c) can be viewed as a conditional state obtained by starting with 
astate |dy) = |wu) |+r) € image(IIy) and post-selecting (i.e., conditioning) on a C-measurement of 
|dy) outputting 1. Crucially, this pseudoinverse state has a precisely characterized (U, C)-Jordan 
spectrum related to the Jordan spectrum of |c}. We emphasize that the state |u} does not 
actually exist in the extraction procedure; it is just a tool for the analysis. 


For technical reasons, we cut off Transform after an exponential number of steps so that the component of 
|Wi) |+r) lying in “bad” S; (i-e., where p; is tiny) does not ruin the expected running time. 
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Using the pseudoinverse lemma, one can show that the probability a C-measurement of |u) 
returns 1 is © p, which implies that the joint distribution of (71,...,r,) comes from a “random 
enough” distribution that we formalize as “admissible” (Definition 5.5). This is shown by the 
following reasoning: since measuring R commutes with C, it is as if we have an initially uniformly 
random r; (obtained from measuring R of |dy)) that is “output” with probability ~ p (when C 
returns 1). This is sufficient to argue about correctness properties of the extractor. 


Runtime Analysis Idea. Analyzing the runtime of Transform”’° also turns out to be significantly 
more subtle than in the setting. The basic idea is to show that (within a reasonable 
amount of time) Transform?’S returns a state on H & W to image(II,,-) after it was “initially” 
disturbed by the binary measurement D. In [CMSZ21], this is literally true: the disturbance is 
measuring (lyp, I — Ily,-) for randomly sampled r on the prover state |y;). One can then show 
that an expected constant number of (D,G)-measurements returns the state to G by appealing to 
the statistics of the (D, G) Marriott-Watrous distribution. 

However, in our setting, the “disturbance” is quite different: the amplified state |c) € 
image(IIc) consists of a prover state entangled with the challenge register R in a way that is 
guaranteed to produce an accepting transcript. |c) is then disturbed by measuring its R register, 
and the measurement D being applied in Transform?’ depends on this R measurement outcome. 
Since the R measurement can disturb |c) by a large amount (unlike D), it is not a priori clear 
why Transform?’S should return the state to image(II,,-). 

At a high level, we show how to bound the runtime of this new procedure by appealing to 
the pseudoinverse state |¢y), again! In more detail, using the pseudoinverse lemma, the state on 
H ® W obtained after measuring R on |¢c) (along with initializing W to |0)) can be alternatively 
thought of as the state obtained by: 


e Sampling r; proportional to the probability ¢,, of |¢y) successfully answering r;, and 


e Outputting (normalized) II,,(|wu) ® |0)j,), where II,, := H,,1. 


This conditioning argument allows us to appeal to the same “return to Ilp” principle to show 
that Transform?’© indeed “returns” the state to image(II,,-), as if it had “started out” as the state 
lu) |0) yy, which only exists in the analysis! 


2.3.5 Problem: Step 3 is still not expected poly-time. 


The premise of our new extraction template was to speed up the extraction process by getting 
rid of excess work from running state repair in situations where no accepting transcript was ob- 
tained. Previously, we computed the expected runtime to perform N ~ k/p repair steps in 
(conditioned on a successful initial execution and initial estimate p) to be pN/e? ~ 1/p*, since the 
runtime of each repair step was equivalent (up to a constant factor) to the runtime of G, which was 
p/e?, and £ © p°. As noted above, with our new template we now only have to perform N = k 
repair steps, and the error parameter £ can now be ~ p. With these improvements alone, one might 
hope to perform N repair steps in pN/e? = p(k)(1/p?) ~ 1/p time. This would result in expected 
polynomial runtime for the overall extractor when factoring in the conditioning. 

Perhaps surprisingly, the above reasoning is incorrect! This new extraction procedure is still 
not expected QPT: the expected runtime of N repair steps will be ~ a not = 
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Why does this happen? It turns out that in this new extraction template, each repair step 
(which previously made expected O(1) calls to G) must now make an expected O(1/p) calls to G, 
cancelling out the factor-1/p savings in N obtained by using TransformY-© to generate transcripts. 

Indeed, the pseudoinverse-based runtime analysis above for Transform?’© implies that each repair 


step must now make 
1 


1 1 
aarp ae 


calls to G (where Cr = `, Cr œ% p is the normalization factor for the r;-distribution). This results 
in an overall expected running time of 4 calls to G if p was initially measured. Essentially, this is 
saying that while obtaining an accepting transcript (r;, zi) causes limited enough disturbance that 
repair can work, it causes more disturbance than a binary measurement, resulting in a factor of 
1/p increase in the repair time. 


2.3.6 Solution: Use faster Estimate and Transform 


Despite the less-than-expected speedup observed in [Section 2.3.5} it turns out that we nevertheless 
made significant progress. The reason is that the bottleneck to obtaining a faster extraction proce- 
dure is now in the running times of Estimate and Transform, so we can hope to obtain an expected 
polynomial time procedure by using faster algorithms for EstimateY’© and Transform?’S. 

As discussed above, speeding up the fixed-length Estimate’’© in G is relatively straightforward 
by appealing to this results in an expected running time of a for G. 


However, implementing a fast version of Transform?’© achieving 1 — negl(A) correctness (which 
is required for our extraction procedure to have negligible error) is less straightforward. Some 
implementations in the literature (e.g., [@SLW19]) achieve this correctness guarantee, but only 
given a known (inverse polynomial) lower bound on the eigenvalue qj (associated with (D,G)- 
Jordan subspace 7;). We have no such lower bound for our state eI,( |du) |0)))- Our resolution 
is to first apply a variable-length fast phase estimation algorithm (implemented by repeatedly 
running to increasing precision, or singular value discrimination with decreasing 
thresholds, until we obtain a multiplicative estimate of the phase) and then run a fixed-length 
fast Transform?:© using the estimated phase to lower bound the eigenvalue. The fixed-length fast 
Transform?:© can be done using [GSLW19]; it is also possible to use a more elementary algorithm 
combining fast amplitude amplification with ideas from for achieving 1—negl(A) 
correctness. 

To summarize, we obtain a final 1/p speedup by combining a 1/,/p speedup from using a faster 
Estimate’’© with a 1 /\/p speedup from using a faster Tra nsform?S. The fact that the latter speedup 
is actually realized turns out to be subtle to argue. 


2.3.7 Last Problem: Measuring z ruins the runtime guarantee 


Unfortunately, we are still not done! There is one subtle issue with our extractor that we have 
ignored so far: our runtime analysis was only valid ignoring the effect of measuring the prover 
response z. Since all transcripts after running Transform’:© are accepting by construction, the 
collapsing property of the protocol implies that measuring z is computationally undetectable, so 
one might assume that the runtime analysis extends immediately. 


18For technical reasons, we use a different algorithm due to [GSLW19], but a variant of [NWZ09] would also suffice. 
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However, the expected running time of an algorithm is not an efficiently testable property of the 
input state. This is not just an issue with our proof strategy: the version of the above extractor 
where z is measured does not run in expected polynomial time. 

In a nutshell, the issue is that a computationally undetectable measurement can still cause a 
state’s eigenvalues (either {p;}, in Jor¥©, or {q;}, in Jor®P) to change by a negligible but nonzero 
amount, affecting the subsequent runtime of TransformPS. This negligible change can have an 
enormous effect on the expected runtime of the extractor, because if the runtime of a procedure 
is inversely proportional to the disturbed eigenvalue p = p — negl, an overall expected runtime 
expression can now contain terms of the form rare which can be unbounded when p is also 
negligible. Interestingly, such issues have long been known to exist in the classical setting: these 
za terms are the major technical difficulty in obtaining a classical simulator for the 
protocol. This classical analogy inspires our resolution. 


Solution: Estimate repair time before measuring z. We modify our extractor so that in each 
loop iteration, all procedures occurring after the z-measurement have a pre-determined runtime. 
Previously, after z was measured, we ran a fast variable-length Transform by running a the variable- 
length Estimate?’© to determine a time bound t, and then running a t-time Transform?:©. Instead of 
this, we will run Estimate?’© before z is measured. This allows us to compute a runtime bound for 
Transform?:© before the z measurement disturbs the state, preserving the expected running time 
of the entire procedure. This results in the final extraction procedure described in[Fig. 6] below. 


Figure 6: Our final extraction procedure 


1. After obtaining (a, |W)), apply C to |Y) |+Rr) and terminate if the measurement returns 
0. Otherwise, let |) denote the resulting state on H ® R. 


2. Run the variable-length EstimateY’© on |), obtaining output p. Divide p by 2 to obtain 
a lower bound on the resulting success probability. Set £ = # and N =k. 


3. For i from 1 to N: 


(a) Given prover state |y;), apply Transform>© |);) |+,). Call the resulting state |¢c). 
(b) Measure (and discard) the R register of |ġc) to obtain a classical challenge r;. 


(c) Initialize W to |0),) and call the variable-length Estimate™®, which outputs a value 
q. We require that the output state is in the image of II,,. 


(d) Measure the response zi. 


(e) We repair the success probability by running Transform?© on H & W for a oracle 


steps. If the resulting state is not in the image of Ilp e, abort. 
Trace out W and run EstimateY© for A /p/£ steps to obtain a new probability 
estimate p’. If p' < p—2e, abort. Finally, discard R and re-define p := p’. 


By making this change, we incur an additional correctness error for the extractor, because the 


collapsing measurement may decrease the probability that Transform?:© successfully maps the state 


to II,,-. However, this error is negligible because this correctness property is efficiently checkable 
(unlike the expected runtime). Thus, this procedure achieves both expected polynomial runtimd9 


Tt remains to be argued that measuring z; does not affect the running time of subsequent variable-runtime steps. 


23 


and the desired correctness guarantees. 


2.3.8 Putting everything together 


To summarize, we gave a new extraction template along with a particular instantiation that achieves 
expected polynomial runtime, by leveraging four different algorithmic improvements: 


1. By generating accepting transcripts with Transform¥:°, we now only have to generate k tran- 
scripts and repair k prover states (instead of k/p). 

2. (1) allows us to relax the error parameter € by a factor of 1/p (speeding up G). 

3. Using a fast algorithm for Estimate from the literature saves a factor of 


1/,/p runtime. 
4. Using a new fast, variable-runtime algorithm for Transform saves another factor of 1/,/p. 


Finally, we implement the variable-length Transform in two phases (variable-length phase estimation 
followed by fixed-length Transform) and interleave the measurement of the response z between them, 
so that this z-measurement has no effect on the runtime. 

We remark that the overall analysis of our extractor is rather involved (as we have omitted 
additional details in this overview); we refer the reader to Section 8] for a full analysis. 


2.4 Post-Quantum ZK for |GK96 


In this section we give an overview of our proof that the Goldreich-Kahan (GK) protocol is post- 
quantum zero-knowledge (Theorem 1.4). Our simulator makes use of some of the techniques de- 
scribed in [Section 2.3| but the simulation strategy is quite different to our other results. In partic- 
ular, our simulator does not make use of state-preserving extraction. 

We first recall the Goldreich—Kahan construction of a constant-round zero-knowledge proof 
system for NP. Let (Ps, Vz) be a %-protocol for NP satisfying special honest verifier zero knowledge 
(SHVZK)E| and let Com be a statistically hiding, computationally binding commitment. 
construct a zero knowledge protocol (P, V) as described in[Fig. 7| 

Soundness of the protocol holds against unbounded P* and therefore extends immedi- 
ately to the quantum setting. 


Recap: the naïve classical simulator. As observed by [GK96], there is a natural naive simu- 
lator for their protocol that, for reasons analogous to[Section 2.3.7] turns out to have an unbounded 
expected runtime. To build intuition for our quantum simulation strategy, we will first recall the 
naive classical simulator and show how to extend it to a naive quantum simulator (while temporar- 
ily ignoring the runtime issue). Then, by using the technique described in [Section 2.3.7] we will 
improve this to a full EQPT, quantum simulator. 

The naive classical simulator does the following: 


This turns out to hold because the runtime of future loop iterations can be guaranteed by the correctness properties 
of the re-estimation step, which hold for an arbitrary re-estimation input state. 

Recall that the special honest-verifier zero-knowledge property guarantees the existence of a randomized simu- 
lation algorithm SHVZK.Sim(r) that takes any -protocol challenge r € R as input and outputs a tuple (a, z) such 
that the distribution of (a,r, z) is indistinguishable from the distribution of transcripts arising from an honest prover 
interaction on challenge r. 
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P(x, w) V(x) 


Sample commitment key ck. ck 
, com Sample -protocol challenge r + R. 

Commit to r: 

com = Com(ck, r;w) for w + {0, 1}?. 
Compute (a, st) + P»(x, w) Q : 

T, Ww 

If Com(ck,r;w) 4 com, abort. & N Accept if (a,r, z) is an 
Compute z + Psx(st,r) accepting }X-protocol transcript for x. 


Figure 7: The |GK96] Zero Knowledge Proof System for NP. 


1. Call V* on a random commitment key ck to obtain a commitment com. 

2. Sample (a’, 2’) + SHVZK.Sim(0). 

3. Run V* on a’ to obtain a challenge-opening pair (r’,w’). If w is not a valid opening of com 
to r’, terminate the simulation and output the current view of V*. 

4. Rewinding step. Sample (a, z) + SHVZK.Sim(r’) and run V* on a. If the output (r,w) is 
not a valid message-opening pair, repeat this step from the beginning. 

5. Respond with z and output V*’s view. 


To see that this simulator outputs the correct view for V*, consider two hybrid steps: 


e First, switch to a hybrid simulator in which the sample (a’, 2’) + SHVZK.Sim(0) is instead 
computed by running the honest prover P(x,w). The indistinguishability between this hy- 
brid simulator and the real simulator follows from the fact that a’ sampled as (a’,z’) + 
SHVZK.Sim(0) is computationally indistinguishable from the honestly generated a’. 


e Next, switch to a second hybrid simulator in which the honest prover is also used in the 
rewinding step to generate the (a, z) samples rather than SHVZK.Sim(r’) (where z is gen- 
erated by running the honest prover on (a,r’)). This is indistinguishable from the previous 
hybrid simulator by the SHVZK property, and moreover, by the computational binding of 
the commitment, the r obtained in Step 4 must be r’ except with negl(A) probability. More- 
over, conditioned on r = r’, the second hybrid produces the same distribution as the honest 
interaction. 


We now show how to extend this simulator to the quantum setting. 


Our “naive” quantum simulator. Step 1 of the naive classical simulator will be unchanged in 
the quantum setting, so we focus on devising quantum verisons of Steps 2,3, and 4 while assuming 
ck, com are fixed throughout. 

Let |Y) be the state of the malicious verifier immediately after it sends com. We let registers 
A, Z denote registers containing the messages a, z in the /-protocol and let M be a register that 


25 


will contain the random coins for SHVZK.Sim (or the honest prover later on). Let |Sim,) for any 
r € R be the state |Sim,) 4 z m = È} Op |SHVZK.Sim(r; u), p) obtained by running SHVZK.Sim on 
a uniform superposition of its random coins p. 

We define binary projective measurements analogous to the U and C measurements used in our 
state-preserving extractor. However, instead of a single U measurement, we will have for each r € R 
a measurement S, = (Isr, I — Hs) on V®A® Z&M where Is, := Iy ® |Sim,)(Sim;| 4 z m- 
The idea behind the C = (IIc, I -— IIc) measurement is the same as before: it measures whether 
the malicious verifier V* returns a valid opening when run on the challenge A. Note that C acts as 
identity on Z,M. 

The next steps of the quantum simulator are a direct analogue of the corresponding steps in 
the classical simulator: 


2*. Initialize A Q Z®M to |Simo). 


3*. Measure |y 8 |P) 4 2.4 with C. If the outcome of C is 0 (the opening is invalid), terminate 
the simulation at this step: measure A to obtain a’, compute and measure the verifier’s 
response (r’,w’) and return (ck, com, a’, (r’,w’),z = L) along with V. If the outcome of C is 
1, we will have to rewind. First, compute the verifier’s response and measure it to obtain r’. 


When the opening is invalid (C outputs 0), the SHVZK guarantee informally implies that these 
steps computationally simulate the view of V*. 

The hard case is when the opening is valid (C outputs 1). At this stage of the simulation, the 
state on V & AQ Z is IIc( |) |Simo) 4 z) (up to normalization). Intuitively, we want to “swap” 
[Simo) 4.2.1 for [Simy 4 z M> but the application of IIc has entangled the A register with V. We 
will therefore apply an operation to disentangle these registers, then swap |Simo) for |Sim,7), and 
then “undo” the disentangling operation. We do this by defining a unitary U that is the coherent 
implementation of the following variable-length computation on V @ A® Z ® M ® R: measure 
R to obtain r, and then run a variable-length Transform©5” on V @ A Q Z @ ME} Recall that 
implementing a variable-length computation coherently requires additional ancilla registers W, B, Q 
(see [Section 1.2); we will suppress these registers for this overview, but we emphasize that they 
must be all be initialized to |0). 

The simulator then continues as follows. 


4*. Run the following steps: 


(a) Initialize R to |0) and apply U to IIc(|)y |Simo)4 z m) 8 lOr. ONVEABZOM, 
this maps image(IIc) to image(Is,9), which yields a state of the form |~’)), |Simo) 4 z m: 
Importantly, this (carefully!) breaks the entanglement between V and A. 


(b) Now the simulator can easily swap |Simo) out for |Sim,.). 
(c) Finally, the simulator changes the R register from |0}p to |r’), and then applies U t 
and traces out R. This step maps the state on back from image(ls, ~) to image(IIc). 
5*. Measure A to obtain a, compute and measure the verifier’s response (r,w), measure Z to 
obtain z, and output (ck,com,a, (r,w), z) along with V. 


21 The register R is required for the definition of U and should not be confused with the sub-register of V that we 
measure to obtain the verifier’s response. 
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This simulator can be written as an EQPT, computation, but we defer the details of this to our 
full proof (Section 13). For this overview, we will focus on proving the simulation guarantee. 

Inspired by classical proof, we prove that our simulator produces the correct view for V* by 
considering two hybrid simulators. To describe the hybrid simulators, we define states |P) and 
|P,) for any r € R corresponding to responses of the honest prover: 


e Let |P)4 z, m be the state from running the honest prover Py w on a uniform superposition of 
random coins y to generate a first message Py w(u), i-e., |P) 42. = Lp Prowl) 4 10) 2 |e) 


e For any r € R, let |P,) be the same as |P) Az.M: except Z additionally contains the honest 
prover’s response to r, ie, |P;) 4 z m = Son Boulh) Pralin) |i) 


The hybrid simulators are essentially quantum versions of the classical ones: 


e The first hybrid simulator behaves the same as the original simulator except that every- 
where the simulator uses |Simo), the hybrid simulator uses |P} instead. The amplification 
in Step 4*(a) is now onto image(|PXP|) rather than image(Soọ). Moreover, in Step 4*b, the 
simulator swaps |P) out for |Sim,.). 


e The second hybrid simulator is the same as the first, except every appearance of |Sim,/) is 
replaced with |P,-). In particular, in Step 4* (b), the simulator swaps |P) out for |P,’). The 
(inverse) amplification in Step 4*(c) is now from image( |P, XP, |) onto image(IIc). 


We remark that defining these hybrid simulators also requires extending the definition of the 
unitary U that performs Transform. In particular, U must now support Transform®P where P = 
(Iy @ |PXP|,I— Iy & |PXP]|) and Transform©?? where P, = (Iy & |P,XP,|, I — Iy & |P,)(Py|). 

Proving indistinguishability of these hybrids requires some care. Intuitively, we want to invoke 
the SHVZK property to claim that |Simo) and |P} are indistinguishable given just the reduced 
density matrices on the A register (for the first hybrid) and that |Sim,-) and |P,-) are indistin- 
guishable given just the reduced density matrices on A & Z (for the second hybrid). However, we 
have to ensure that the application of Transform — which makes use of projections onto these states 
— does not make this distinguishing task any easier. 

We resolve this by proving a general lemma about quantum computational indis- 
tinguishability that may be of independent interest, which we briefly elaborate on here. Consider 
the states |») = 0), |u) |Do(u))y where Do, Dı are computationally indistinguishable classi- 
cal distributions with randomness u. If we are only given access to Y, then distinguishing |79) 
from |71) is clearly hard (since Try(|7)(7|) is a random classical sample from Dp). 
strengthens this claim: it states that guessing b remains hard even given an oracle implementing 
the corresponding binary-outcome measurement ( [ToX Tlx y 1 — [TXT] Pr 

By combining this lemma with the fact that our Transform procedure can always be truncated 
(in a further hybrid argument) to have strict poly(A, 1/e)-runtime with ¢-accuracy, we can prove 
the desired indistinguishability claims. 


From the naive simulator to the full simulator. The problem with both the classical and 
quantum naive simulators presented above is that their expected runtime is not polynomial. The 
issue is conceptually the same as in Consider a malicious verifier V* that gives a 
valid response with negligible probability p when run on a sampled as (a, z) + SHVZK.Sim(0), and 
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succeeds with probability p — negl when run on a sampled as (a,z) 4 SHVZK.Sim(r). Then the 
expected running time is zadi which can be unbounded for small p. 

The solution described in is therefore to estimate the running time of the rewinding step 
before making the computational switch. That is, if the simulator obtains a valid response before 
the rewinding step, then it keeps running the V* on samples from SHVZK.Sim(0) until it obtains A 
additional valid responses. This gives the simulator an accurate estimate of the success probability 
of V*, which it uses to bound the running time of the subsequent rewinding step. 

We give a quantum simulator in EQPT, for the |GK96] protocol that implements the analogous 
quantum version of this estimation trick. As in[Section 2.3.7] the idea is to first compute an upper 
bound on the runtime of the Transform step (equivalently, a lower bound on the singular values) 
after measuring C in Step 3* before measuring r. This estimate is computed using a variable- 
length Estimate°°© procedure, and since the Transform step has now been restricted to run in fixed 
polynomial time, we achieve the desired p-1/p = 1 cancellation in the expected running time. 

Implementing this properly requires several tweaks to our simulator. In particular, the simula- 
tor no longer measures the verifier’s challenge r’ directly in Step 3*; recording r’ is now delegated 
to U, since this step must be performed “in between” Estimate and Transform. That is, we must 
modify U so that instead of just performing (a coherent implementation of) Transform, it runs the 
following steps coherently: (1) perform a variable-length Estimate, where Estimate is parameter- 
ized by the same projectors as Transform (2) compute and measure the verifier’s response (3) run 
Transform using the time bound computed from Estimate. We defer further details to the full proof 
(Section 13). We remark that just as in [Section 2.3.7] the negl(A) error incurred by the collapsing 


measurement moves into the correctness error of the simulation. 


2.5 Related Work 


Post-Quantum Zero-Knowledge. The first construction of a zero-knowledge protocol secure 
against quantum adversaries is due to Watrous |Wat06]. Roughly speaking, (Wat06| shows that 
“partial simulators” that succeed with an inverse polynomial probability that is independent of 
the verifier state can be extended to full post-quantum zero-knowledge simulators. This technique 
handles sequential repetitions of classical “-protocols and has been used as a subroutine in other 
contexts (e.g., [BS20][BCKM21]|(CCY21]/ACL21]), but its applicability is limited to somewhat spe- 
cial situations. Nevertheless, most prior post-quantum zero-knowledge results have relied crucially 
on the technique. 

recently introduced a beautiful non-black-box technique that, in particular, achieves 
constant-round zero knowledge arguments for NP with strict polynomial time simulation [BS20]. 
As discussed above, the use of non-black-box techniques is necessary to achieve strict polynomial 
time simulation in the classical and quantum settings (and in the quantum setting 
this extends to EQPT,, simulation). 

Finally, recent work showed that the Goldreich—Kahan protocol achieves post-quantum 
e-zero knowledge. This is closely related to our [Theorem 1.4] and so we present a detailed compar- 


ison below. 


Comparison with [CCY21]. The post-quantum security of the Goldreich—Kahan protocol was 
analyzed previously in [CCY21]. Our simulation strategy for is related to that of 
in that the two simulators both consider the Jordan decomposition for essentially the 
same pair of projectors, but the two simulators are otherwise quite different. 
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At a high level, constructs a (non-trivial) quantum analogue of the following classical 
simulator: given error parameter £, repeat poly(1/e) times: sample a + Sim(0) and run V* on a. 
If V* ever opens correctly, record its response r. Then, run a single execution of the protocol using 
(a, z) + Sim(r) and output the result. 

More concretely, the simulator first attempts to extract the verifier’s challenge r in 
poly(1/e) time, and then attempts to generate an accepting transcript in a single final interaction 
with the verifier. However, if the verifier aborts in this final interaction, the simulation fails; this is 
roughly because successfully extracting r skews the verifier’s state towards not aborting. To obtain a 
full simulator, they use an idea from [BS20}: (1) design a “partial simulator” that randomly guesses 
whether the verifier will abort in its final invocation, then achieves ¢-simulation conditioned on a 
correct guess; (2) apply [Wat06]-rewinding to “amplify” onto executions where the guess is correct. 

It is natural to ask whether the above simulation strategy would have sufficed to prove 
(instead of writing down a new simulator). We remark that this is unlikely; their simulator seems 
to be tailored to -ZK and, moreover, does not address what describe as the main technical 
challenge in the classical setting: handling verifiers that abort with all but negligible probability. 
In more detail: 


e Their non-aborting simulator (like the classical analogue above) always tries to extract r. 
To achieve negligible simulation error, this extraction must succeed with all but negligible 
probability for any adversary that with inverse polynomial probability does not abort. This 
would require that the simulator run in superpolynomial time. 


Our simulator, as well as essentially all classical black-box ZK simulators, address this issue 
by first measuring whether the verifier aborts, and then only proceeding with the simulation 
in the non-aborting case. 


e By Markov’s inequality, expected polynomial time simulation implies ¢-simulation in time 
O(1/e). As a function of £, the simulator runs in some large polynomial time (as 
currently written, they appear to achieve runtime 1/e°, although it is likely unoptimized). 
Thus, even a hypothetical variable-runtime version of their simulator would not be expected 
polynomial time. In particular, the “guessing” compiler appears to cause a 
quadratic blowup in the runtime of their non-aborting simulator (due to a required smaller 
accuracy parameter). 


e The “guessing” compiler adds an additional layer of complexity onto the 
CCY21] simulator that is incompatible with the EQPT, definition in the sense that given 
an EQPT, partial simulator, the “guessing” compiler would not produce a 
procedure in EQPT,. 


We also achieve some improvements over |CCY21| unrelated to the simulation accuracy: 


e |CCY21] require that the underlying sigma protocol satisfies a delayed witness property, 
which is not required in the classical setting. Our “projector indistinguishability” lemma 
(Lemma, 13.1} see also [Section 2.4) enables us to handle arbitrary sigma protocols. 


e |CCY21] require that the verifier commit to the sigma protocol challenge r using a strong 
collapse-binding commitment. Using a new proof technique (see [Section 4), we show that 
standard collapse-binding suffices. 
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Post-Quantum Extraction As previously discussed, there is a line of prior work 
that achieves forms of post-quantum extraction that do not preserve the prover 
state. Below we briefly discuss prior work on state-preserving post-quantum extraction. 

directly constructs a state-preserving extractable commitment with non-black-box extrac- 
tion in order to achieve their zero-knowledge result. Their construction makes use of post-quantum 
fully homomorphic encryption (for quantum circuits). Their extractor homomorphically evaluates 
the adversarial sender. 

also shows that constant-round zero-knowledge arguments and post-quantum secure 
function evaluation generically imply constant-round state-preserving extractable commitments. 
Combining this with yields a polynomial-round state-preserving extractable commitment 
scheme. Since this result also holds in the “e setting,” plugging in |CCY21| implies a constant- 
round € state-preserving extractable commitment, although this protocol would have many rounds 
and is only privately verifiable. 

All of the above results achieve computationally state-preserving extraction. con- 
structs a polynomial-round state-preserving extractable commitment scheme with statistical state 
preservation. They use the |Wat06] simulation technique as the core of their extraction procedure, 
applied to a new construction where statistical state preservation is possible. 


3 Preliminaries 


The security parameter is denoted by A. A function f: N — [0,1] is negligible, denoted f(A) = 
negl(A), if it decreases faster than the inverse of any polynomial. A probability is overwhelming 
if is at least 1 — negl(A) for a negligible function negl(\). For any positive integer n, let [n] := 
{1,2,...,n}. For a set R, we write r + R to denote a uniformly random sample r drawn from R. 


3.1 Quantum Preliminaries and Notation 


Quantum information. A (pure) quantum state is a vector |p) in a complex Hilbert space H 
with || |y)|| = 1; in this work, H is finite-dimensional. We denote by S(H) the space of Hermitian 
operators on H. A density matrix is a positive semi-definite operator p € S(H) with Tr(p) =1. A 
density matrix represents a probabilistic mixture of pure states (a mixed state); the density matrix 
corresponding to the pure state |) is |w)(~|. Typically we divide a Hilbert space into registers, 
e.g. H = Hı Q H2. We sometimes write, e.g., p41 to specify that p € S(H1). 

A unitary operation is a complex square matrix U such that UUt = I. The operation U 
transforms the pure state |Y} to the pure state U |Y), and the density matrix p to the density 
matrix UpU'. 

A projector II is a Hermitian operator (IIt = II) such that I? = I. A projective measurement 
is a collection of projectors P = (II;)ieg such that S3;<g IM; = I. This implies that ILII; = 0 for 
distinct į and j in S. The application of P to a pure state |p) yields outcome į € S with probability 
pi = ||IL |) ||”; in this case the post-measurement state is |y) = I; |W) / /pi- We refer to the post- 
measurement state II; |Y} /,/pj as the result of applying P to |Y) and post-selecting (conditioning) 
on outcome i. A state |) is an eigenstate of P if it is an eigenstate of every Il. 

A two-outcome projective measurement is called a binary projective measurement, and is written 
as P = (II, I — II), where II is associated with the outcome 1, and I — II with the outcome 0. 
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General (non-unitary) evolution of a quantum state can be represented via a completely-positive 
trace-preserving (CPTP) map T: S(H) —> S(H’). We omit the precise definition of these maps in 
this work; we only use the facts that they are trace-preserving (for every p € S(H) it holds that 
Tr(Z'(p)) = Tr(p)) and linear. 

For every CPTP map T: S(H) — S(H) there exists a unitary dilation U that operates on an 
expanded Hilbert space H @ K, so that T(p) = Tr<(U(p ® |0)0|*)Ut). This is not necessarily 
unique; however, if T is described as a circuit then there is a dilation Ur represented by a circuit 
of size O(|T|). 

For Hilbert spaces A, B the partial trace over B is the unique CPTP map Trg: S(A@B) —> S(A) 
such that Trg(p4® ps) = Tr(pp)pa for every pa € S(A) and pg € S(B). 

A general measurement is a CPTP map M: S(H) > S(H & O), where O is an ancilla reg- 
ister holding a classical outcome. Specifically, given measurement operators {Mi}, such that 
ys M,M} = I and a basis { |i) }_, for ©, M(p) := SA (MipM] ® JiXiļ?). We sometimes im- 
plicitly discard the outcome register. A projective measurement is a general measurement where 
the M; are projectors. A measurement induces a probability distribution over its outcomes given 
by Prļi] = Tr( haij? M(p)); we denote sampling from this distribution by i + M(p). 

The trace distance between states p,a, denoted d(p,o), is defined as b T(V — ay). The 
trace distance is contractive under CPTP maps (for any CPTP map T, d(T'(p),T(a)) < d(p,o)). 
It follows that for any measurement M, the statistical distance between the distributions M(p) and 


M(oa) is bounded by d(p,a). We have the following gentle measurement lemma, which bounds how 
much a state is disturbed by applying a measurement whose outcome is almost certain. 


Lemma 3.1 (Gentle Measurement ). Let p E€ S(H) and P = (IIL, I — II) be a binary projec- 
tive measurement on H such that Tr(IIp) > 1— ô. Let 
, pll 
Tr(IIp) 


be the state after applying P to p and post-selecting on obtaining outcome 1. Then 
d(p, p") < 2V5. 


Definition 3.2. A real-valued measurement M on H is (¢,6)-almost-projective if applying M 
twice in a row to any state p € S(H) produces measurement outcomes p, p' where 


Pr||p—- p'| <€] > 1- ô. 


Quantum algorithms. In this work, a quantum adversary is a family of quantum circuits 
{Adv; Jaen represented classically using some standard universal gate set. A quantum adversary 
is polynomial-size if there exists a polynomial p and Ag € N such that for all A > Ap it holds that 
|Advy| < p(A) (i.e., quantum adversaries have classical non-uniform advice). 


3.2 Black-Box Access to Quantum Algorithms 


Let A be a polynomial-time quantum algorithm with internal state p € D(H) whose behavior is 
specified by a unitary U on ¥ QH. A quantum oracle algorithm $4 with black-box access to (A, p) 
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is restricted to acting on H (which is initially set p) by applying the unitary U or Ut, but can 
freely manipulate ¥ and an arbitrary external register V. 

Black-box access models sometimes permit the U and Ut gates to be controlled on any external 
registers (i.e., any registers other than the registers Z & H to which U is applied). We note that 
none of the black-box algorithms in this work require controlled access to U, Ut. This is because 
our black-box use of U,Ut takes the form U! (Iy ® Vx,y,)U where V is a unitary acting only on 
X 2 Yı, and we can replace U, Ut controlled on V2, with V controlled on yp. 


Algorithms with classical input and output. We also consider the special case of quantum 
algorithms that take classical “challenge” r and produce classical “response” z. Writing ¥ = RQZ, 
an algorithm of this form is specified by a unitary U on R® Z&H of the form $; |rXrir 2 ce 
For example, $4 can run A on a superposition of inputs by instantiating R Q Z to X`, Ir) ® |0) 2 
and then applying U. 

We note that this definition is consistent with the notions of interactive quantum machines 
and oracle access to an interactive quantum machine used in e.g. and other works on 
post-quantum zero-knowledge. 

We remark that our formalism is tailored to the two-message challenge-response setting. While 
the protocols we analyze in this paper will have more than two messages of interaction, our analysis 
will typically center around two particular messages in the middle of a longer execution, and p will 
be the intermediate state of the interactive algorithm right before the next challenge is sent. We 
also point out that the unitary U can be treated as independent of the (classical) protocol transcript 
before challenge r is sent, since we can assume this transcript is saved in p. 


3.3 Jordan’s Lemma 


We state Jordan’s lemma and its relation to the singular value decomposition. 


Lemma 3.3 ({Jor75|). For any two Hermitian projectors Ila and Ilg on a Hilbert space H, there 
exists an orthogonal decomposition of H = €, S; into one-dimensional and two-dimensional sub- 
spaces {S;}; (the Jordan subspaces), where each S; is invariant under both I, and Iig. Moreover: 


e in each one-dimensional space, II, and Ig act as identity or rank-zero projectors; and 

e in each two-dimensional subspace S;, Ila and IIg are rank-one projectors. In particular, there 
exist distinct orthogonal bases { |v; 1) , |vj,0)} and { |w;1) , |wj,o)} for S; such that Ia projects 
onto |v;1) and Iig projects onto |wj,1). 


A simple proof of Jordan’s lemma can be found in [Reg06}. 

For each j, the vectors |v;1) and |w;1) are corresponding left and right singular vectors of the 
matrix I,IIg with singular value s; = | (vj1/w;1)|. The same is true for |vjo) and |w;o) with 
respect to (I — Ha) (I — Ip). 


3.4 Commitment Schemes 


A commitment scheme consists of a pair of PPT algorithms Gen, Commit with the following prop- 
erties. 
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Statistical/computational hiding. For an adversary Adv, define the experiment Expô (A) as 
follows. 


1. Adv(1*) sends (ck, mo, mı) to the challenger. 
2. The challenger flips a coin b € {0,1} and returns com := Commit(ck, mp) to the adversary. 
3. The adversary outputs a bit b’. The experiment outputs 1 if b = b’. 


We say that (Gen, Commit) is statistically (resp. computationally) hiding if for all unbounded (resp. 
non-uniform QPT) adversaries Adv, 


| Pr |Expage(A) = 1] — 1/2| = negl() . 


Statistical/computational binding. For an adversary Adv, define the experiment Expy (A) 


as follows. 


1. The challenger generates ck + Gen(1*). 
2. Adv(ck) sends (mo, wo, M1, w1) to the challenger. 
3. The experiment outputs 1 if Commit(ck, mo, wo) = Commit(ck, m1, w1). 


We say that (Gen, Commit) is statistically (resp. computationally) binding if for all unbounded 
(resp. non-uniform QPT) adversaries Adv, 


Pr [Exp (A) = 1] =negl(X) . 


Collapse binding. For an adversary Adv, define the experiment Exp" (A) as follows. 


1. The challenger generates ck + Gen(1*). 

. Adv(ck) sends a commitment com and a quantum state p on registers M & W. 

3. The challenger flips a coin b € {0,1}. If b = 0, the challenger does nothing. Otherwise, the 
challenger measures M in the computational basis. 

4. The challenger returns registers MQW to the adversary, who outputs a bit 6’. The experiment 
outputs 1 if b= V. 
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We say that Adv is valid if measuring the output of Adv(ck) in the computational basis yields, with 
probability 1, (com, m,w) such that Commit(ck, m,w) = com. 
We say that (Gen, Commit) is collapse-binding if for all valid non-uniform QPT adversaries Adv, 


| Pr [Exp (A) = 1] — 1/2| = negl(A) . 
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3.5 Preliminaries on Interactive Arguments 


An interactive argument for an NP-language L consists of a pair of interactive algorithms P, V: 


e The prover algorithm P is given as input an NP statement x and an NP witness w for x. 


e The verifier algorithm V is given as input an NP statement x; at the end of the interaction, 
it outputs a bit b (interpreted as “accept” /“reject”). 
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The minimal requirement we ask of such a protocol is completeness, which states that when 
the honest P, V algorithms are executed on a valid instance-witness pair (x, w), the verifier should 
accept with probability 1 — negl (A). 

We typically consider interactive arguments consisting of either 3 or 4 messages. In many (but 
not all) settings we assume that the argument system is public-coin (in the second-to-last round), 
meaning that the second-to-last message (or challenge) is a uniformly random string r from some 
domain. We will use the following notation to denote messages in any such protocol: 


e For 4-message public-coin protocols, we use vk to denote the first verifier message. 
e We denote the first prover message by a. 

e We denote the verifier challenge by r. 

e We denote the prover response by z. 

e We denote the verification predicate by V (vk, a,r, z). 


We consider 3-message protocols as a special case of 4-message protocols in which vk = L. 
A key property of interactive protocols considered in this work is collapsing (and relaxations 
thereof), defined below. 


Definition 3.4 (Collapsing Protocol |Unr16b) [LZ19; |DFMS19]). An interactive protocol (P, V) 
is collapsing if for every polynomial-size interactive quantum adversary A (where A may have an 
arbitrary polynomial-size auxiliary input quantum advice state), 


| Pr[CollapseExpt(0, A) = 1] — Pr[CollapseExpt(1, A) = 1| < negl(A). 


For b € {0,1}, the experiment CollapseExpt(b, A) is defined as follows: 


1. The challenger runs the interaction (A, V} between A (acting as a malicious prover) and 
the honest verifier V, stopping just before the measurement the register Z containing the 
malicious prover’s final message. Let 7’ be the transcript up to this point excluding the final 
prover message. 

2. The challenger applies a unitary U to compute the verifier’s decision bit V(r’, Z) onto a fresh 
ancilla, measures the ancilla, and then applies U. If the measurement outcome is 0, the 
experiment aborts. 

3. If b = 0, the challenger does nothing. If b = 1, the challenger measures the Z register in the 
computational basis and discards the result. 

4. The challenger returns the Z register to A. Finally A outputs a bit b’, which is the output of 
the experiment. 


captures the collapsing property of Kilian’s interactive argument system [Kil92 
(as well as other }-protocols that make use of “strongly collapsing commitments” |CCY21]), but 
does not accurately capture protocols that make use of commitments satisfying statistical binding 
but not “strict binding” [Unrl2|]. To capture these protocols, we introduce a partial-collapsing 
definition. 

For a 3 or 4-message interactive protocol (P, V), let T denote the set of transcript prefixes Tpre 
(i.e., the first message a in a 3-message protocol or the first two messages (vk,a) in a 4-message 
protocol), let R denote the set of challenges r (the second-to-last message) and let Z denotes the 
set of possible responses z (the final message). Informally, such a protocol is partially collapsing 
with respect to a function f : T x Rx Z — {0,1}* if the prover cannot detect a measurement of f. 
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Definition 3.5 (Partially Collapsing Protocol). Let f :T x Rx Z — {0,1}* be a public efficiently 
computable function. A 3 or 4-message interactive protocol (P,V) is partially collapsing with 
respect to f if for every polynomial-size interactive quantum adversary A (where A may have an 
arbitrary polynomial-size auxiliary input quantum advice state), 


| Pr[PCollapseExpt(0, f, A) = 1] — Pr[PCollapseExpt(1, f, A) = 1| < negl (A). 


For b € {0,1}, the experiment PCollapseExpt(b, f, A) is defined as follows: 


1. The challenger runs the interaction (A, V} between A (acting as a malicious prover) and 
the honest verifier V, stopping just before the measurement the register Z containing the 
malicious prover’s final message. Let (Tpre, r) be the transcript up to this point (i.e., excluding 
the final prover message). 

2. The challenger applies a unitary U to compute the verifier’s decision bit V(r’, Z) onto a fresh 
ancilla, measures the ancilla, and then applies U'. If the measurement outcome is 0, the 
experiment aborts. 

3. If b = 0, the challenger does nothing. If b = 1, the challenger initializes a fresh ancilla V to 
|0),, applies the unitary Uy (acting on Z &® Y) that computes f(7pre,7,-) on Z and XORs 
the output onto VY, measures VY and discards the result, and then applies OL 

4. The challenger returns the Z register to A. Finally A outputs a bit b', which is the output of 
the experiment. 


captures the collapsing property of standard commit-and-open -protocols [GMW86} 
that make use of statistically binding (or, more generally, standard collapse-binding 
[CCY21]) commitments by setting f to output the part of z corresponding to the committed message 
(but not the opening). In some other cases (a subroutine of the [GMW86] graph non-isomorphism 
protocol, as well as the “reverse Hamiltonicity” “-protocol) we will use more complicated 
definitions of f that measure different pieces of information depending on the challenge r. 

Finally, we recall the definition of special honest-verifier zero knowledge. 


Definition 3.6 (Special honest-verifier zero knowledge). A 3-message sigma protocol (Ps, Vs) is 
special honest verifier zero knowledge (SHVZK) if there exists an algorithm SHVZK.Sim such that 
for all (x, w) € R and challenges r € R, the distributions 


SHVZK.Sim(z,r) and (a,z) + Ps(z,w,r) 


are computationally indistinguishable. 


4 Standard Collapse-Binding Implies Unique Messages 


Recall that the standard collapse-binding security property ensures that if an efficient adversary 
produces a superposition of valid message-opening pairs (m,w) to a commitment c, then it can- 
not detect whether a measurement of m is performed. There is an apparent deficiency with 
this definition as compared to the classical binding definition, which Unruh (implicitly) observes 
in [Unri6b]: collapse-binding does not seem to imply that an adversary cannot give valid 
openings to two different messages if the openings themselves are not measured. 


35 


This issue has received relatively little attention, in part because circumventing it turns out 
to be fairly easy in many cases by either modifying the underlying protocol, or by simply as- 
suming “strong” collapse-binding where the measurement of the message and opening is 
undetectable. For example: 


e In [Unr12|, Unruh introduces the notion of a strict-binding commitment, defined so that 
for any commitment c, there is a unique valid message-opening pair (m,w). Unruh shows 
that standard \-protocols (such as GMW 3-coloring and Blum Hamiltonicity) are sound 
when instantiated with strict-binding commitments, but due to the issue described above, is 
unable to prove that these protocols are sound when instantiated with a statistically-binding 
commitment. 


e In [Unrl6b], Unruh gives a generic transformation which converts a classically secure X- 
protocol into a quantum proof of knowledge by committing to the responses to each challenge 
in advance. However, in many “-protocols (e.g. [Blu86]) the response already 
consists of an opening to a commitment; are these protocols secure if the commitment is 
collapse-binding? 


e This issue also arises in |CCY21), which explicitly asks for a strong collapse-binding commit- 
ment to instantiate their X-protocols. (They do note that a statistically binding commitment 
also suffices via a different argument.) 


We believe this is an unsatisfying state of affairs. Collapse-binding is widely accepted as the 
quantum analogue of classical computational binding, but as the above examples illustrate, there 
are many natural settings where it is unclear whether it can be used as a drop-in replacement 
for classically binding commitments. Given this issue, a natural suggestion would be to treat 
strong collapse-binding as the quantum analogue of classical binding. However, we suggest that 
any definition of quantum computationally binding should at least capture statistically binding 
commitments. Statistically binding commitments do not generically satisfy strong collapse-binding, 
but are (standard) collapse-binding. Worse, strong collapse-binding is not a “robust” notion: we 
can make any commitment scheme lose its strong collapse-binding property by adding a single bit 
to the opening that the receiver ignores. 

In this section, we resolve this difficulty and show that standard collapse-binding generically 
implies that an adversary cannot give two valid openings for two different messages, even when the 
openings are left unmeasured. This simplifies some of the proofs in this work, and also implies that 
strong collapse-binding and strict binding are unnecessary in the above examples. 

Towards proving this, we first formalize a natural security property that captures the fact that 
a quantum adversary should only be able to open to a unique message. 

Let Com = (Gen,Commit) be a non-interactive commitment scheme. Define the following 


challenger-adversary interaction Expy (A) where Adv = (Adv, Adv2) is a two-phase adversary. 


1. The challenger generates ck + Gen(,). 


2. Run Adv;(ck) to output a classical commitment string com, a classical message mı and a 
superposition of openings on register W. It also returns its internal state H, which is passed 
onto Advg. 


3. The challenger measures whether W contains a valid opening for mı with respect to com and 
aborts (and outputs 0) if not. 
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4. Run Advo(ck) on (H, W). It outputs another message mz and a superposition of openings on 
register W. If mz = mı then the expriment aborts and outputs 0. 


5. The challenger measures whether W contains a valid opening for mı with respect to com. If 
so, the experiment outputs 1, otherwise 0. 


Definition 4.1. We say that a commitment is unique-message binding if it can only be opened to 
a unique message if for all QPT adversaries Adv, 


Pr|Expady (à) = 1 = negl (A). 


uniq 
Lemma 4.2. Any collapse-binding commitment Com satisfies unique-message binding. 


We remark that the unique-message binding definition and this lemma easily extend to in- 
teractive collapse-binding commitments. However, we will focus on the non-interactive case for 
simplicity. Our proof is reminiscent of the “control qubit” trick used by Unruh in to prove 
that collapse-binding implies a notion called sum-binding. 


Proof. Suppose that Adv = (Adv, Adv2) satisfies Pr Expady,(A) = 1] = e(A) = £. Then we con- 


struct an adversary Adv’ that obtains advantage ¢/8 in the collapsing game for Com as follows: 
1. Upon receiving ck from the challenger, Adv’ does the following: 
(a) Run Adv; (ck) to obtain a classical commitment com, a classical message mı (on register 


M), and registers W, H. 


(b) Measure whether W contains a valid opening for mı with respect to com; if the opening 
is invalid, abort and output a random 0’ 


(c) Next, prepares an ancilla qubit B in the state |+), and then apply the unitary U defined 
as 
U = |1X1lg 9 UA Nw + 10X0] 8 In,m,w- 


where U**2 is a unitary description of Advə (the action of Adv on H®M @W is unitary 
without loss of generality). That is, the unitary U has two branches of computation: it 
does nothing when B = 0, and it runs Advg when B = 1. 


(d) Next apply the binary projective measurement (Ick comm» E — Hek,com,m; ) Where 
Tek,com,mi = |OXO|g 8 Tnmw + [1X 1g 8 In ® > |m, wm, wl mw- 


m,w : mémiA 
Commit(ck,m,w)=com 


This measurement checks that after applying U, the output of Advg (when B = 1) isa 
valid message and opening (m,w) where m 4 mı. If this measurement rejects, abort 
and output a random 0’. 


(e) Finally, send M & W to the collapsing challenger. 


2. When the collapsing challenger returns M @ W, apply Ut. 


2To match the syntax of the collapsing game, the “abort” works as follows: Adv’ (ck) initializes M & W to some 
valid commitment, sends it to the challenger, ignores the registers it gets back, and then outputs a random b’. 
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3. Perform the binary projective measurement (M, I — H+) where I, := |+)(+|, 8 In,m,w. If 
the measurement outcome is 1 (corresponding to |+)), then Adv’ outputs b’ = 0 (i-e., guesses 
that the collapsing challenger did not measure the message). Otherwise, it outputs b = 1. 


We now compute the probability that Adv’ outputs b = b for each choice of the collapsing 
challenge bit b. 

If b = 1, then Adv’ guesses correctly (outputs b = 1) with probability exactly 1/2. This is 
because if Adv’ aborts, it outputs 1 with probability 1/2 by definition, and if it does not abort, then 
it sends the collapsing challenger M & W where a measurement of the M register will completely 
determine the 6 register. In particular, if the outcome of the M measurement is mı, 6 collapses 
to |0); otherwise, B collapses to |1). In either case, the probability that the measurement of 
(I+, I — I+) returns 0 (making Adv’ output b’ = 1) is exactly 1/2. 

We now consider the case b = 0. Let p = Wek comm Pck,com,m; + PL be the state on M@WOH 
after [Step Tb} where Pck,com,m, is the (subnormalized) state corresponding to outcomes ck, com, mı 
and the outcome “valid” in and p, is the (subnormalized) state corresponding to the 


outcome “invalid” in|Step 1b 
Recall that in the case b = 0, the collapsing challenger does nothing to M & W. Thus the effect 


of|Steps Ic|[IdlandPlis to apply a binary projective measurement etic ,l- Mo, where 


1 
ck,com,mı 


= Ok soning . From the description of the experiment, it holds that 


1 1 
Prò = 0] =5Tr(er) +5 D T(E —Wexcommi)(+X+1 8 Pekscomynns)) 


ck,com,m 1 
+ 5 Tr (TTo ( +X+| 8 Pck,com,mı Leen 
ck,com,m 4 
1 1 1 
> J = 3 5 Tr (rana |+\+| & Piona) 
ck,com, mı 
j 2 
A ana |+\+| & Pekama) ) 
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where the latter inequality is Jensen, and the former is the following: 
Claim 4.3. If ap = p then Tr(I,lIgpllg) > Tr(Igp)?/Tr(p). 
Proof. Tr(Ilge) = Tr(Igplla) = Tralee) < vTr(lIallegplIeglla) Tr(p), where the inequality is 
by Cauchy-Schwarz. o 


Let y= Deanne Tr(Pck,com,my )+ Observe that Po ckiconen eM cet Jee | 8 pci) = 
(y + €)/2. It follows that 


Thus the overall probability that Adv’ guesses a random b correctly in the collapsing experiment 
is at least 1/2 + €(A)/8. oO 


5 Generalized Notions of Special Soundness 


Let (P, V) denote a 3 or 4-message public-coin interactive proof or argument system. Let T denote 
the set of transcript prefixes Tpre (i.e., the first message in a 3-message protocol or the first two 
messages in a 4-message protocol), R denotes the set of challenges r (the second-to-last message) 
and Z denotes the set of possible responses z (the final message). The instance x is assumed to be 
part of Tpre, Which allows us to capture protocols in which the instance is adaptively chosen by the 
prover in its first message. 

We introduce generalizations of the special soundness property to capturing situations where 


1. the special soundness extractor is able to produce a witness given only a function f(z) of the 
response z, and/or 


2. the extractor is only required to succeed (with some 1 — negl(X) probability) when the chal- 
lenges are sampled from an “admissible distribution.” 


The second property is related to the notion of probabilistic special soundness due to [CMSZ21 
Throughout this section, k will be a parameter specifying the number of (partial) transcripts 
required to extract. 


5.1 Generalized Special Soundness Definitions 
We first recall the standard definition of k special soundness. 


Definition 5.1 (k-special soundness). An interactive protocol (P,V) is k-special-sound if there 
exists an efficient extractor SSExtract : T x (R x Z)* — {0,1}* such that given tpre, (Ti, 2i)ie[a] 
where each r; is distinct and for each i, (7pre, Ti, zi) is an accepting transcript, SSExtract(Tpre, Ti, Zi) 
outputs a valid witness w for the instance x with probability 1. 


In order to generalize this definition, we consider interactive protocols (P,V) with a “consis- 
tency” predicate g : T x (R x {0,1}*)* — {0,1}. The argument {0,1}* corresponds to some partial 
information y about a response z. The consistency predicate should have the property that if 
9(Tpre; (Ti Yiliejk]) = 1, then g(Tpre; (Ti, Yi)ieG) = 1 for all subsets G C [k]. For any positive integer 
k, we define the set Consistent; to be the subset of T x (R x {0,1}*)* on which g outputs 1. We 
can extend k special soundness to allow the SSExtract algorithm to produce a witness given only 
partial information y; of the responses z; provided that the “partial transcripts” satisfy consistency. 


Definition 5.2 ((k,g)-special soundness). An interactive protocol (P,V) is (k,g)-special-sound 
if there exists an efficient extractor SSExtract, : T x (R x {0,1}*)* — {0,1} such that given 
(Tpre; (fi, Yi)ie[e]) € Consistent; where each r; is distinct and for each i, SSExtracty(Tpre, ri, yi) out- 
puts a valid witness w with probability 1. 


3A similar (but not identical) definition appears in an older version of [CMSZ21): 


https: //arxiv.org/pdf/2103.08140v1.pdf 


39 


Notice that all k-special-sound protocols with super-polynomial size challenge space are (k, g)- 
probabilistic-special sound for the “trivial” consistency predicate g that simply checks (interpreting 
Yi = zi as a full response) whether all the transcripts are accepting. 


Claim 5.3. For any k-special-sound protocol (P,V), there exists a consistency predicate g such 
that (P,V) is (k, g)-special-sound. 


Proof. Define g to output 1 on input Tpre, (fi, Yi die [he] if and only if each (Tpre, Ti, yi) is an accepting 
transcript. It follows that the original SSExtract in the special soundness definition satisfies the 
requirements of the (k, g)-special soundness definition. O 


When the challenge space R is super-polynomial-size, we can generalize this definition even 
further so that the extractor need not succeed on worst-case k-tuples of distinct challenges, but 
only on k-tuples sampled from an “admissible distribution.” 


Definition 5.4 (Q-admissible distribution). A distribution Dy over R* is admissible if there exists 
a negligible function negl(A) and a sampling procedure Samp such that D, is negl(A)-close to the 
output distribution of the following process: 

e Samp makes, in expectation, Q(A) classical queries to an oracle Op that outputs a uniformly 
random challenge r «+ R each time it is queried. 

e Samp must produce its outputs as follows. Let Qitota; be the total number of queries it makes 
to Or. Samp specifies a set {i1,..., ik} C [Qtotai], and its output is defined to be r;,,..., Tip 
where r; is the ith output of the uniform sampling oracle Op. 

We stress that Samp may use an arbitrary (e.g., even inefficient) process to select the set 
{i1,... ik}. Moreover, the output challenges rj;,,...,7;, do not necessarily have distinct 
values (this can occur if the sampling oracle Og outputs the same challenge more than once). 


Definition 5.5 (admissible distribution). A distribution D; over RF is admissible if there exists 
Q = poly(A) such that Dx is a Q-admissible distribution. 


Definition 5.6 ((k, g)-probabilistic special soundness). An interactive protocol (P, V) with consis- 
tency predicate g is (k, g)-probabilistic-special-sound if there exists an efficient extractor SSExtract : 
T x (R x {0,1}*)* > {0,1}* such that for any distribution D supported on Consistent, whose 
marginal distribution on R* is admissible, 


Pr [PSSExtracty(Tpre; (ri, YiJicjk]) > w A^ w is a valid witness for x] = 1 — negl (A) 
(Tpres(Ti,Yi)i€ [ke] )<-D 


Note that (k,g)-probabilistic special soundness (PSS) is only meaningful when the challenge 
space R has super-polynomial size. When R is polynomial, an admissible distribution D;, can 
simply output (r,...,7) (the same challenge repeated k times) since there exists a Samp that 
simply queries Og until it outputs the same challenge k times. 

However, when |R| is superpolynomial, (k,g)-PSS is a relaxation of (k, g)-special soundness. 


Claim 5.7. When R = 298), any (k, g)-special-sound protocol is also (k, g)-probabilistic-special- 
sound. 


Proof. It suffices to prove that the probability any admissible distribution outputs the same chal- 
lenge r more than once is negl(A). By the definition of an admissible distribution, its output is 
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negl(A)-close to the output of an arbitrary sampling algorithm that makes an expected poly(A) 
number of queries to a uniform sampling oracle Og over R, and then outputs a size-k subset of the 
oracle responses. 

Suppose towards a contradiction that there exists constant c such that for infinitely many 
à € N, the sampling oracle Or outputs a repeated challenge with probability 1/A°. Let d be a 
constant such that the expected number of queries to the uniform sampling oracle Or is O(A%). 
If 0 < q < A%*+! oracle queries have already been made, the probability that the next oracle 
query allows finding a collision is at most \“*°+!/|R|. This implies that finding a collision within 
A4+e+1 queries is at most \?4+?¢+?/|R]. Thus, to find a collision with probability at least 1/)°, 
the number of oracle queries must be at least \¢+¢+! with probability at least 1/A° — A74+2¢+/| RI, 
which implies the expected number of oracle queries is at least \¢+¢+!(1/\° — A?4t2c+2/| R|) = 
AJH _ 84+8e+3 // R|. Since R = 28), there exists a constant Ào such that for all A > Ao, this 
expectation is Att — \34+8e+3 /|R| > \4+1 — 1. This contradicts our assumption that the expected 
number of queries to the sampling oracle is O(A%). o 


5.2 A Special Soundness Parallel Repetition Theorem 


Although it is well-known that 2-special soundness is preserved under parallel repetition, the situ- 
ation is more complicated for generalized special soundness notions (and even k-special soundness 
for larger values of k). We state and prove a useful theorem about the parallel repetition of special 
sound protocols. 


Lemma 5.8. If £ = (P, V) is a (k, g)-special-sound protocol, then the t = Q(k? log? (A))-fold parallel 
repetition Xt is (k?, gt)-probabilistic special sound where gt outputs 1 if and only (1) the arguments 
y; consist of t formally separated components, and (2) g outputs 1 on each of the t components. 


Proof. Let Consistent,2 be the set of k-tuples of shared-prefix partial transcripts of Xt on which 
gt outputs 1. Let D be a distribution supported on Consistent;,2 whose marginal distribution on 
(Rte is admissible. 

We construct PSSExtract,: for £t that takes as input 


(Tpre,j) jefe» (jije (Wit) see] ie S P 
and does the following: 


1. Look for j € [t] such that {rj,i};ej,2} consists of k distinct challenges. If no such j exists, 
abort and output L. 


2. If such a j exists, let H be a size-k subset of [k?] such that {rj;}ien consists of k dis- 
tinct challenges, and let SSExtracty be the (k,g)-special-soundness extractor for ©. Run 
SSExtracty(Tpre,j; ("j,i YjilicH) > w and output w. 


First, we note that 
I(Tpre,js (Tiis Yja)ieH) = 1 
follows from 
gJ ((Tpre.j) jefe> (jije (Ysa) jeg ieg) = 1- 
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Thus, it suffices to prove that this extractor aborts with probability negl(\). Define BAD c Rie 
to be the set of all tk?-tuples (rji)jej icp? Such that for all j € [t], the k?-tuple (rj,;)ici42} does 
not contain k distinct challenges. 

Suppose (7j,i) ;¢[¢],ie[x2] is sampled uniformly at random from Rt’. Then we have 


k t 
Pr (75,8) jelic] € BAD] < (=) 


2 
(jaje iep R 


This follows from the fact that for any fixed j, the probability that (rj i)icjk2} does not contain k 


distinct challenges is at most k((k —1)/k)*’ < k/e®. 

By the definition of an admissible distribution (Definition 5.5), the marginal distribution of 
Dy: on (R*)* is the result of the following process (up to negl(A) statistical distance): make 
an expected poly(A) number of classical queries to a uniform sampling oracle Og: over Rt, re- 
ceiving a set of challenges A, and then (using an arbitrary procedure) output any size-k? subset 
{(ritss ThI) «+ +5 (Trees +51 t,42)} Of A of k? challenges. The extractor aborts if (rj,) ;e(y,¢[k2] € 
BAD. 

Let d be a constant such that the expected number of queries to the uniform sampling oracle O pt 
is O(A*). Suppose towards a contradiction that the extractor aborts with non-negligible probability, 
i.e., there exists a constant c such that for infinitely many A € N, the extractor aborts with 
probability at least 1/A°. If 0 < q < \%*°+! oracle queries have already been made, the probability 
that the next oracle query allows finding a size-k? subset of outputs in BAD is at most 

enri k? log? (A) 
owen (Gy 


Moreover, there exists a constant Ag such that for all A > Ag, this can be upper bounded as 


c 2 
(\J+c+1)k (= A 


k k? log? (à) ok? +k? log(k) 
< ——— 
) e 


log? (A) 
SUDEN = 1/ p80), 


Thus for all A > Ag, the probability of finding a size-k? subset of oracle outputs in BAD within 
dt+e+! oracle queries is at most \¢+¢+! / des). this implies that finding a size-k? subset of oracle 
outputs in BAD with probability 1/A° requires making at least \¢+°+! oracle queries with probability 
at least 1/A° — A¢tet!/ Nes) Then for A > Ag, the expected number of queries is at least 
(Attetty (d/o — Adtetl slog) — nat] _ y2d+2c+2/)lok()_ Since c and d are constants, there 
exists Ap such that for À > Xp, the expected number of queries is at least Att — 1. This contradicts 
our assumption that the number expected number of queries to the uniform sampling oracle is 


O(X2). oO 


5.3 Examples of Probabilistic Special Sound Protocols 


We now show that many classical interactive proofs-of-knowledge (or arguments-of-knowledge) 
satisfy probabilistic special soundness. It was already noted above that (parallel repetitions of) 
standard special sound protocols satisfy the notion. Here, we highlight three other cases: commit- 
and-open protocols (where g is only given partial transcripts), Kilian’s protocol, and a subroutine 
of the |GMW86] graph non-isomorphism protocol. 
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5.3.1 The “one-out-of-two” graph isomorphism subroutine 


In order to prove [Theorem 1.2} we consider the following proof-of-knowledge subroutine of the 
GMW86] graph non-isomorphism protocol: 


e The subroutine instance is three graphs Go, G1, H. The provei24 wants to prove that there 
exists a bit b such that Gy is isomorphic to H. To do so, they execute a parallel repetition of 
the following protocol. 


e The prover picks a random permutations o0, 0), a random bit c, and sends (Ho = o0(G_), Hı = 
o1(Gi_-)) to the verifier. 


e The verifier sends a random bit r. 


e Ifr = 0, the prover sends (c, 09, 01) and the verifier checks that (Ho = o0(G-), Hi = 01(Gi_<)) 
was computed correctly. 


e If r = 1, the prover sends (c © b, cepat), where m is an isomorphism mapping H to Gy. The 
verifier then checks that (oeger) H = Heap. 


In the classical setting, this is generally viewed as a proof of knowledge of (b,7). However, 
we consider it as a proof of knowledge of the bit b, in the situation where Gp and Gj are not 
isomorphic. We will formalize this in two different ways: first by showing that the protocol is 
(2, g)-special sound for a natural consistency predicate g, and then by showing that it is (2, g’)-PSS 
for a more complicated predicate g’ that we have to use to be compatible with the protocol’s limited 
partial collapsing property. 

First, we define an (inefficient) consistency predicate g, which is given as input Tpre an arbitrary 
number of pairs (r,c) € {0,1}* x {0,1}* (rejecting if the input is not of this form). g outputs 1 if 
the following conditions hold for all 4 € [A]: 


e If re = 0, the graphs (Ho, Hı e) are isomorphic to (Gep, G1_—¢,). 
e Ifr= 1, the graph H,,¢ is isomorphic to H. 


The following claim then holds immediately by transitivity of graph isomorphism. The extrac- 
tor, given (r,c) and (r’,c’) simply chooses an £ such that ry # r, and outputs b = cy ® ch. 


Claim 5.9. If Go and G1 are not isomorphic, then the [GMW86] subroutine satisfies (2, g)-special 
soundness, where the extractor outputs the bit b. 


Finally, we define the predicate g’ to be a slight modification of g: for the first pair (r®, c0), 


g ienored)| the bits ob) for i such that rf) = 1. The protocol will then not be (2, g’)-special sound 
(e.g. a first transcript with r®) = 14 would provide no information), it will be (2, 9')-PSS. 


Claim 5.10. If Go and Gi are not isomorphic, then the [€MW86] subroutine satisfies (2, g’)-PSS, 
where the extractor outputs the bit b. 


24The [GMW86] verifier acts as the prover in this subroutine. 


25 Alternatively, we could define g’ to require inputs with these of) 


omitted. 
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Proof. This follows from the claim that if (r®,r®) € {0,1} x {0,1} is sampled according to 
an admissible distribution, then with all but negl(A) probability, there exists an index £ such that 
rf) = 0 and r?) = 1. This can be argued using the same reasoning as in the proof of [Claim 5.7| 
since the probability that two uniformly random \-bit strings r) and r@) do not have an index 
L € [A] such that ro) = 0 and r?) = 1 is negl(A). oO 


5.3.2 Commit-and-Open Protocols 


The next class of examples we discuss is that of commit-and-open protocols. In particular, we 
are interested in characterizing a special soundness property where the extractor is only given the 
opened messages in the prover’s response (and not their openings). 


Definition 5.11. Let Com denote a (possibly keyed) non-interactive commitment scheme. A 
commit-and-open protocol is a (3 or 4 message) protocol for an NP language L of the following 
form: 


e (Optional first verifier message) If Com is keyed, the verifier samples and sends the commit- 
ment key ck for Com. 


e The prover, given a witness w for some statement x € L, computes a string y € {0, Le and 
sends a bitwise commitment a = Com(ck, y) to the verifier. 


e The verifier samples a string r that encodes a subset S C [N] and sends r to the prover. 
e The prover sends openings to {y;}ies. 


e The verifier checks that each opening to y; (for i € S is valid and then computes some function 
Check(ys) on the opened bits. 


We say that such a protocol satisfies “commit-and-open k-special soundness” if there exists an 
extractor Extract(x, y) satisfying the following property. For every instance x and every collection of 
k distinct sets S1,..., Sp (represented by strings (r1,...,7,), for any string y such that Check(ys,) = 
1 for all i, w = Extract(x, y) is a valid NP-witness for x. 


It is not hard to see that the “commit-and-open” k-special soundness property, combined with 
the (computational/statistical) binding of the commitment scheme, implies a standard (computa- 
tional/statistical) k-special soundness property of the =-protocol. However, we consider “commit- 
and-open k-special soundness” explicitly in order to satisfy (probabilistic) special soundness with 
respect to partial transcripts. 

This definition captures extremely common »-protocols, such as: 


e The |GMWS86] »-protocol for 3-coloring. 
e A slight variant of the |Blu&86| “-protocol for Hamiltonicits29] 
e Protocols following the “MPC-in-the-head” paradigm [IKOS07]. 


6Tn this variant, in addition to committing to a permuted graph 7(G), the prover commits to the permutation 7 
and the permuted cycle m oø. On the 0 challenge, the prover additionally opens the commitment to 7, and on the 1 
challenge, the prover additionally opens the commitment to m oø. 
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To view this in terms of generalized k-special soundness, define a consistency predicate g as 
follows: on input (pre, (ri, {Mi,e}ecs; ie[k]), Output 1 if and only if 


e For any pair of sets 5;,5; (corresponding to challenges r;,r;), for any £ € S; N Sj, we have 
mie = mje. That is, the “opened" message subsets are mutually consistent. 
e For allie [k], Check({m; e }ees;) =l 


. With this formalism in place, the following claim is immediate. 


Claim 5.12. Any protocol satisfying commit-and-open k-special soundness (as described in|Definition 5.11 
is (k, g)-special sound. 


5.3.3 Kilian’s Protocol 
We briefly recall Kilian’s protocol |Kil92| instantiated with a collapsing hash function: 
1. The verifier samples a collapsing hash function h «+ H, and sends h to the prover. 


2. Let Amerkle be the Merkle hash function corresponding to h. The prover uses w to compute 
a PCP 7, and then sends rt = hMerkie(7) to the verifier. 


3. The verifier samples random coins r and sends them to the prover. 


4. The prover computes the set of the PCP indices q, that the PCP verifier with randomness r 
would check. It sends the corresponding values 7[q,| along with the Merkle openings of rt on 
the positions qr. 


5. Finally, the verifier accepts if all the Merkle openings are valid and Vpcp,z(r, 7[¢r]) = 1, i.e., 
the PCP verifier with randomness r accepts 7|q,]. 


We will instantiate Kilian’s protocol with a PCP of knowledge, defined as follows. Let WINpcp,2(7) 
denote the probability that a is accepted by the PCP verifier. 


Definition 5.13 (PCP of Knowledge). A PCP has knowledge error kpcp(A) if there is an extractor 
Epcp such that given any PCP a where WINpcp,z(7) > kpop, the extractor Epcp(7) > w outputs 
a valid witness w for x with probability 1. 


The following claim is due to [CMSZ21), though we have slightly rewritten it to match our 
definition of k-PSS. 


Claim 5.14. Kilian’s protocol instantiated with a PCP with knowledge error Kpcp(A) = negl(,) 
proof length L(A), and alphabet-size (A) is (k,g)-PSS where k = €log(|X|) and the consistency 
function g outputs 1 on (Tpre; (Ti; 2i)ie{ay) if (1) for each i, the response z; contains PCP answers 
Tiar] such that Vpcp(x,ri,7[Gr;]) = 1, and (2) for every i £ i' the answers n|qr,] and m|qr,,] agree 
on all indices in qr; N qr. 


Proof. Our extractor PSSExtracty takes as input (Tpre, (ri, Zi)icjk]) and generates a witness as follows: 


1. Generate a PCP string m € Xf as follows. For each t € [4], check if t € qn; for any i. If so, 
pick such an 7 arbitrarily and set z|t] according to the value specified in z; (the choice of i 
does not matter since the input satisfies consistency with respect to g). If there is no such i, 
set [t] arbitrarily. 
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2. Run Epcp() > w and output w. 


We prove that [Step 1]constructs a PCP a where WINpop,2(7) > kpcp with 1 — negl(A) probability 
whenever (Tpre; (Ti, 2i)ie[x)) is Sampled from a distribution supported on Consistent, (i.e., the subset 
of T x (R x Z)* where g outputs 1) whose marginal distribution on R* is admissible. 

It suffices to prove that if (71,...,r%) are output by Samp (where Samp makes an expected 
poly(A) number of queries to a uniform sampling oracle Or and then outputs a size-k subset of 
the outputs of O,) then the probability there exists m € X= such that (1) WINpcp.2(7) < kpop 
and (2) Vecp,2(Ti, t[¢r;]) = 1 for all i € [k] is negl(A). This follows by invoking the definition of an 
admissible distribution, and observing that any 7 resulting from|Step 1] satisfies (2) by construction, 
which means that WINpop,2(7) > Kpcp with probability 1 — negl(A). 

Let d be a constant such that for all A > Ag, Samp makes at most à? queries to the sampling 
oracle O,. Suppose towards contradiction that there exists a constant c such that for infinitely many 
A, the probability that Samp outputs (r1,...,7%) such that with probability at least 1/A°, there 
exists t € X satisfying conditions (1) and (2) above. Thus, for infinitely many åA, the probability 
that Samp makes 2A°+? queries (or more) to its sampling oracle Op is at most 1/(2A°) by Markov’s 
inequality. This means that even if Samp makes at most 2\°+? queries to its sampling oracle, it 
still succeeds with probability at least 1/(2A°) for infinitely many A. 

Consider any fixed PCP m such that WINpcp,2(7) < pcp. The probability that the PCP is 
accepting on at least k challenges out of 2\°+@ uniformly random challenges is at most 


KE ; o < k (Nore 
PCP k S KPOP . 


By taking a union bound over all 7 € Xf we conclude that given 2A°t4 uniformly random challenges, 
the probability there exists a PCP 7 such that WINpcp,2(7) < Kpcp and 7 is accepting on at least 
k of the 2\°+4 challenges is at most 


JER Bop(2AT4)E = ([E] - (2AF4 pep )a™D)E, 


where we have plugged in k = £log(|£|). Since kpcp = negl(A), there exists Ag such that 
2r°+4 kpop < ; for all A > Ap. Then for all A > Ao, we have 


ctd log(|])\@ 
(IE - (2A + Kpcp) (| D) < = 


Since the PCP alphabet size is at least |X| > 2 and the PCP length is at least £ > A, the probability 
that Samp succeeds when restricted to making at at most 2\°*? queries to Op is at most O(1/2%), 
which is a contradiction. O 


6 Singular Vector Algorithms 


In this section we give algorithms for working with states that are singular vectors of a matrix 
Hallig, where Ia, pg are projectors. In we give an algorithm that transforms left 
singular vectors to right singular vectors with negligible error. The runtime of the algorithm 
depends on the corresponding singular value. 
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Notation. Throughout this section we will consider the interaction between two binary projective 
measurements A = (Ia, I — Ha) ,B = (Ieg, I — Ig). 

We consider the matrix I,IIg and its singular value decomposition VXW1. Recall that V, W 
are unitary and © is a diagonal matrix. The columns of V (resp. W) are the left (resp. right) 
singular vectors of II,IIg, and the entries on the diagonal of X are the singular values sj. Note 
that the singular value decomposition is not in general unique; for the purposes of this section we 
fix one arbitrarily. 

We denote left (resp. right) singular vectors of HaIIg with s; > 0 by |v;1) (resp. |w,1)). Define 
Sj = span(|vj;1), |wz1)). If sj < 1, then S; is two-dimensional. The S; correspond to the Jordan 
subspaces of (IIa, Hg). As such, we also have |v;9) , |wj,o) € Sj. A straightforward calculation 
shows that these are left and right singular vectors of (I—II,)(I— Ig) with singular value s;. The 
Jordan subspace values p; are the squares of the corresponding singular values. In our setting it is 
more natural to use the squares (since they correspond to probabilities), and so the guarantees in 
this section are stated with respect to the squared singular values. 


6.1 Fixed-Runtime Algorithms 


In this section we recall a selection of algorithms for manipulating singular vectors of Haleg. All of 
these algorithms make black-box use of Ua, Ug; we consider their complexity as circuits with Ua, Ug 
gates. All of these algorithms take as input some threshold a € (0, 1], such that their correctness 
guarantee will hold for singular vectors of value at least a, and their running time is linear in 1/a. 

The first algorithm Transform implements a fixed-runtime singular vector transformation, taking 
left singular vectors to their corresponding right singular vectors. 


Theorem 6.1 (Singular vector transformation [GSLEW19]). There is a uniform family of circuits 
{Transforma,s}a,6e(0,1] with Ua, Up gates, of size O(log(1/d)/V/a), such that the following holds. Let 
|vj,1) be a left singular vector of alg with singular value sj. Ifa < sé, Transforma s [A —> B](|v;,1)) 
outputs the state |w;1) with probability at least 1 — ô. Moreover, for all a, S; is invariant under 
Transforma,5- 


The second algorithm Threshold implements a measurement determining, given a threshold a 
and a singular vector with singular value s;, whether a < s; or a > 2s; (and otherwise has no 
guarantee). 


Theorem 6.2 (Singular value threshold [GSLW19]). There is an algorithm Threshold which, for 
all binary projective measurements A,B, given black-box access to operators Ua, Ug, achieves the 
following guarantee. Given 6 > 0,b > e > 0 and a state |v;1) which is a left singular vector of 
Hallig with singular value sj: 


+ ifs? >b, then Pr|Threshold?’®,(|vj1)) > 1] > 1-6, and 


e ifs? <b—e, then Pr|Threshold)’®,(|uj1)) > 1] <6. 


Moreover, Sj is invariant under Threshold, and if the outcome is 1 the post-measurement state is 
|vj.1). Threshold runs in time O(log(1/5)Vb/e). 


Next, we describe an algorithm which, with access to Ua, Up, can “flip” a singular vector state 
from image(I — Ia) to image(II,) using Hp, provided that the singular value is sufficiently far from 
both 0 and 1. 
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Lemma 6.3. Let I, Ig be projectors. There is an algorithm Flip-[IIa,IIg] which, on input a state 
|v;,0) that is a left singular vector of IalIg with e < si < 3/4, outputs the state |v;1) with probability 
1— ô in time O(log(1/6)/\/é). Flip is invariant on the subspace spanned by { |v;,1) , |v;,0)}- 


Proof. The algorithm operates as follows: 
1. Apply A,B in an alternating fashion until either A > 1, B > 1 or 3log(1/6) measurements 
have been applied. 
2. If A— 1, stop. 
3. If B > 1, apply Transforms s[Mg, Ha]. 
The lemma follows since the probability that takes more than k steps is (3/4)*, and then 
by the guarantee of Transform. o 


6.2 Variable-Runtime Singular Vector Transformation (vrSVT) 


In this section we describe our variable-runtime SVT algorithm. In fact, for technical reasons 
our algorithm consists of two parts: a variable-runtime singular value estimation procedure which 
preserves singular vectors, and a singular vector transformation procedure which transforms left 
singular vectors to right singular vectors, whose running time is fixed given a classical input from 
the estimation procedure. 

Below we give a proof of that makes use of the singular value discrimination 
and singular vector transformation algorithms of [GSLW19]. We note that it is possible to prove 
via more “elementary” means using high-probability phase estimation [NW2ZO09] and 
amplitude amplification. Indeed, phase estimation for (2I — Ia) (2I — Ip) is equivalent to singular 
value estimation for Ia lg and amplitude amplification can be viewed as a (non-coherent) singular 
vector transformation. 


Theorem 6.4 (Two-stage variable-runtime singular vector transformation). Let A = (Ia, I — Ha), 
B = (IIg, I — Ig) be projective measurements. There is a pair of algorithms VarEstimate[II, = Ieg] 
and Transform|IIg —> II,] with Ua and Ug gates with the following properties. Let |wj,1) be a left 
singular vector of Iag with singular value s; > 0, and let |vj 1) be the corresponding right singular 
vector. Then 


1. The subspace S; is invariant under both VarEstimate and Transform. 


2. The running time of VarEstimate( |v;,1)) is O(log(1/d)/s;) with probability 1—8 and O(log(1/6) /6) 
with probability 1. 


3. The output (q, |w)) + VarEstimate(|v;1)) is such that |W) = |w;1) with probability 1— ô. 


4. The running time of Transform(q, |w")), where (y, |W)) + VarEstimate(|v;1)) and |v") is any 
state, is O(log(1/d)/s;) with probability 1 — ô and at most 1/6 with probability 1. 


5. The output state of Transform(VarEstimate(|vj1))) is |w;1) with probability 1 — ô. 


The Transform procedure above can be instantiated directly via the singular vector transforma- 
tion algorithm of [G@SLW19], see [Theorem 6.1] 

We describe an implementation of VarEstimate using the singular value discrimination algorithm 
(Theorem 6.2). For a binary projective measurement A, let A denote the same measurement with 
the outcome labels reversed. For k in the procedure below, define b := 2~* and e := 2747}, 
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1. Set b := 0, k := 0. Repeat the following two steps until b = 1 or k > [log(1/6)]: 


(a) Set k + k +1. 

(b) Apply B, obtaining outcome c. 

(c) If c= 1, apply Threshold®B(y, ¢,5/log(1/5)) obtaining outcome b € {0, 1}. 
(d) If c = 0, apply Threshold™P (y, ¢,5/log(1/5)) obtaining outcome b € {0, 1}. 
2. Apply B, obtaining outcome c. If c = 0, apply Flipa-x-1 [A, B]. 

3. Output 27471, 


Lemma 6.5 (Variable-runtime singular value estimation). Let |v;1) be a left singular vector with 
singular value sj. Let 6 > 0. VarEstimates[A = B](|vj;1),6) runs in time O(log(1/6)/s;) with 
probability 1 — ô and O(log(1/6)/5) with probability 1. Moreover, VarEstimate outputs a in the 
range max(0, 53)/4 < a < max(ô, 53) with probability 1 — ô. 


Proof. First, observe that k iterations of take time O(log(1/6) - 2"). Since VarEstimate 
terminates within [log(1/6)] iterations of with probability 1, VarEstimate runs in time 
O(log(1/6)/6) with probability 1. 

The probability that the singular value discrimination algorithm outputs 1 when 27% > 28; 
is at most 6/(log(1/6)). Similarly, the probability that it outputs 1 when 27} < s; is at least 
1 — 6/(log(1/6)). By a union bound, with probability at least 1 — 6 the algorithm either stops in 
the first iteration where 2~* < 2s; (so sj < 2~* < 2s,) or in the following iteration (s;/2 < 27" < 
sj). Thus 2-* € [s;/2,2s,;], so 2-*-1 € [s;/4,s;] as required. The running time in this case is 
O(log(1/8)/s;). 

If s; > 1/2 then the algorithm stops after one iteration in state |w,,;) with probability 1 — ô. 
Otherwise the probability that log(1/6) alternating measurements A,B are applied with only 0 
outcomes is at most 6. If[Step 2|terminates with B — 1, then the resulting state is |w,1). Otherwise, 
the resulting state is |v; 1). In this case the Transform algorithm rotates the state to |w,,1) with 
probability 1 — ô. O 


The next two claims follow directly from the correctness and subspace invariance guarantees of 
Threshold and VarEstimate. 


Corollary 6.6. For any state p, 6 > 0, £: [0,1] > [ô, 1]: 
Pr [Threshold -(),5(VarEstimate(p) = 1] > 1-26, 


where p is the classical output from VarEstimate. 


Corollary 6.7. For any state p, 6 > 0, £ € [6,1]: 


(b1, pı) 7 Threshold, -.5(p) 


Pr |b) =1 A b2 =0 
r | 1 2 | (bo, p2) 4 Threshold, < e,6(p1) 


| <2. 


Moreover, 


Pel =A ye <p- 


(b1, p1) +} Threshold, -5(p) 
J < M JorlA, B](p1) E 
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7  Pseudoinverse Lemma 


In this section we show that for binary projective measurements A,B any state |) in the image 
of Ha, there is a state |Wg) in the image of B such that |W) is (approximately) obtained by 
applying A to |g) and conditioning on obtaining a 1. Moreover, if |a) has Jordan spectrum 
that is concentrated around eigenvalue p, then |w,) has the same property. We refer to this as the 
“pseudoinverse lemma” because |g) is obtained from |pa) by applying the pseudoinverse of the 
matrix H,IIp. 


Lemma 7.1 (Pseudoinverse Lemma). Let A,B be binary projective measurements, and let {Sj}; be 
the induced Jordan decomposition. Let T° be the projection on to Sj and let p; be the eigenvalue 
of Sj. Let p be a state such that Tr(IIap) = 1 and let Io = X; p;=0 Tor, Let E = X>} Lyte, 


Pj>0 pj J 
There exists a “pseudoinverse” state p' with Tr(IIgp’) = 1 such that all of the following are true: 
1—Tr(I P 
1. Tr(IIap’) = a, 


Hapi 
2. d (p, TAHA) < 2\/Tr(Ipe), 
3. for all j such that p; > 0 it holds that Tr (11}*"p’) = ee and 


4. for all j such that p; = 0 it holds that Tr (11) p’) = 0. 
An important consequence of (3) and (4) is that for all j, if Tr (1p) = 0 then Tr (1g ) =0. 
Proof. Let C := Hall, and note that |vj1), |w;,1) are corresponding left and right singular vectors 


of C with singular value ,/pj. Hence C = $p >0 Pj |¥j,1) (wj,1|- Let C+ be the pseudoinverse of 


C, i.e., CT |w;,1) (vj,1|. Define 


= 1 
= 2p >00 TF 
p' — Ea 
= TCO 
Since Tr(Ilap) = 1, we have Tr(IIgp’) = 1. We also have 
1 
Tr(Ctp(ctyt) = Tr((CCt)+p) = > z (wial elvis) = (Ep). (1) 
j J 
Next, observe that since CO? = Lp, >0 |%j,1Xv;,1| = I — Ho, we have 
Ctp(ctyt 
Haplla = Ha | ——————- 
ie a (EET : 


M Ct p(ct)t 
-m (Sis) 


Given these calculations, we can prove the claimed properties (1-3) in the lemma statement: 
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e Proof of (1). Taking the trace of both sides of|Eq. (2)| we see that 


Tr((I=Ho)p) _ 1— Tr (lop) 


Tr(IIap’) = Tr(a pIa) = Tr(Ep) Tr(Ep) 


1 
Tr(Ep) Tr (I — Io) pI — Ho)) = 


e Proof of (2). Given|Eq. (2)|and the trace calculation above, we have that 


Iapa _ 1 
Trap) 1 — Tr(Iop) 


The inequality d ( p, 242%.) < 2,/Tr(T,p) now follows from gentle measure- 
T oP 


ap’) 


(I — Ho) p(T — Io) 


ment). 


¢ Proof of (3). For all j such that p; > 0, making use of the same calculation as|Eq. (1)} we 
have 


Tr(T"Otp(cty') Te(C+H (CH) T(E) Te( 4mp 
) ) _ T(n) _ T(E no) _ Tho) 


Tr (11; p’) -ECCA ë TE) TE) TŒ) 


e Proof of (4). This follows immediately from the fact that Ip>C* = C*IIp = 0. 


This completes the proof of O 


We conclude this section by showing that under a mild condition, any state p that is close to 
image(II,) has a nearby state in image(II,) with the same Jordan decomposition. 


Claim 7.2. Let p be any state. Let II! „ project on to one-dimensional subspaces Sj in the 


image of I— Ia. There exists a state o such that for all j, Tr (11%) = tp); Tr(IIao) = 
1 — Tr (TH, p), and d(p,0) < /T— Trap). 


Proof. Define a unitary U which is invariant on the S; and, in each two-dimensional S;, rotates 
|vj,o) to |vj;1). Formally, 


U = 2 (luj) (vol + luzo) w1) + Iso, 
j pj${0,1} 


where S™) is the direct sum of the 1D subspaces. Set 


o = Haplla + U(T — Ua) p(T — Wa). o 


8 Post-Quantum Guaranteed Extraction 


In this section, we give a post-quantum extraction procedure for various 3- and 4-message public- 
coin interactive protocols. In particular, we will consider interactive protocols satisfying partial 
collapsing with respect to some class of efficiently computable functions F = {f : 
Tx Rx Z > {0,1}*}. Our goal is to establish guaranteed extraction, defined below (essentially 
matching [Definition 2.2). 
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Definition 8.1. (Ps,Vs) is a post-quantum proof of knowledge with guaranteed extraction if it 
has an extractor Extract?” of the following form. 


1. Extract?” first runs the cheating prover P* to generate a (classical) first message a along with 
an instance x (in a 4-message protocol, this requires first sampling a random vk and running 
P*(vk) to obtain x,a). 

2. Extract?” runs P* coherently on the superposition See A of all challenges to obtain a 
superposition `, , @r,z |r, z) over challenge-response pairs?” 

3. Extract?” then computes (in superposition) the verifier’s decision V(x,a,r,z) and measures 
it. If the measurement outcome is 0, the extractor gives up. 

4. If the measurement outcome is 1, run some quantum procedure FindWitness 
a string w. 


P* that outputs 


We require that the following two properties hold. 


e Correctness (guaranteed extraction): The probability that the initial measurement re- 
turns 1 but the output witness w is not a valid witness for x is negl(A). 
e Efficiency: For any QPT P*, the procedure Extract” is in EQPT m. 


We remark that this definition is written to capture (first-message) adaptive soundness, where 
the prover P* is allowed to choose the instance x when it sends its first message. One could 
alternatively define a non-adaptive variant of this definition in which the instance æ is fixed in 
advance (and this section’s results would hold in this setting as well). suffices for 
our purposes since none of the 4-message protocols we consider have the first verifier message vk 
depend on «x (in all cases we consider, vk is just a commitment key or hash function key), and the 
protocols all satisfy adaptive soundness. 


8.0.1 Notation 


Let R denote a register with the basis { |r}}rer and let |+R)g = F rer |r). Let H denote 


the prover’s state (including its workspace), and let U, denote the unitary on H that the prover 
applies on challenge r. Let Z denote the subregister of H that the prover measures to obtain its 
response z after applying U,. 

Define the projector 


Myy=Ut( XO leelz@t) U, 
z:V(r,z)=1 


which intuitively projects onto subspace of H where the prover gives an accepting response on 
challenge r. 
Define the binary projective measurement C = (Ic, I — Hc) where 


Me =} IrXrlp 8 Hvr, 
r 


and U = (Ily, I — Hy) where 
Iu = |+rX+alp 8 In- 


27Tn general, the response z will be entangled with the prover’s state; here we suppress this dependence. 
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8.1 Description of the Extractor 


We first give a full description of an extraction procedure Extract, defined for any partially collapsing 
protocol. 


The threshold unitary. Consider the following measurement procedure Tp e5 on H, parame- 
terized by threshold p, accuracy £ and error ô. 


e Initialize a fresh register R to |+R)p- 

e Run Th reshold” on HER , obtaining outcome b. 

e Trace out R and output b. 

We define Up <5 to be a coherent implementation of Tp <5. Upe, acts on H®W®B where W@B 
is an ancilla register: W contains the algorithm’s workspace and B is a single qubit containing the 
measurement outcome. In particular, applying U-,5 to Yy lO)w.p> measuring $, and then tracing 
out W implements the above measurement. 


The repair measurements. We define the two projective measurements D, = (H,,1— IL.) , Gpe, = 
(IIp,¢,5,1 — Ip,<,5) for our repair step. 
For any p,£,ô > 0, define the projector Ilp -5 on H & W ® B as follows: 


pea = Ul. s(Inw ® [1X1 g)Upe- 
For any r € R, we define the projector II, on H ® W as 
TL, = (yr )4 ® |OXO|y - 


We describe the extraction procedure Extract}, (x). The procedure is defined with respect to k 
efficiently computable functions fi,..., fy :T x Rx Z — {0,1}*. 


1. Initial Execution. Use P* to generate (vk,a), and let |q) denote the residual prover 
state. Apply C = (IIc, I — Hc) to |w)4, ® |+r)pg. If 0, terminate (note that we do not 
consider this an “abort”.) Otherwise: 


2. Estimate success probability. Run VarEstimate{C = U] (as defined in [Section 6.2) 
with 4-multiplicative error and failure probability 6 = 1/2”, outputting a value p. Note 
that since the input state is in IIc, the algorithm produces an output state in IIc with 
probability 1 — ô. 


Abort if p < AkW6. Define € = nA 


3. Main Loop. Repeat the following “main loop” for i from 1 to k: 
(a) Lower bound success probability. Run Threshold; on H 8 R, obtaining 
outcome b. Abort if b = 0. Update p := p — €. 


(b) Measure the challenge. Measure the R register, obtaining a particular challenge 
ri € R. Discard the R register. 


(c) Estimate the running time of Transform. Initialize the W register to |0)y) 
and run VarEstimate[D, = Gp,e,5] with ł-multiplicative error and failure probability 
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ô= 27^, obtaining classical output q. Since the input state is in I,, the algorithm 
produces an output state in II, with probability 1 — ô. 


(d) Record part of the accepting response. Make a partial measurement of the 
prover response z;; specifically, measure y; = fi(zi 4 If i =k, go to Step 4. 

(e) Transform onto good states. Apply Transform,[D, — G,-,5] with failure proba- 
bility 6 = 27>. 

(f) Next, apply Up, and then discard the W register. Update p := p — €. 


(g) Transform onto accepting executions. Re-initialize R to |+,) and then apply 
Transform,[U — C]; abort if this procedure fails. 


4. Output (vk,a,71,41,°°° 5 Tks Yk): 


The above procedure deterministically terminates and aborts if it has not already stopped 
after O(k)/V6 steps, for 6 := 27>. 


“Formally, we (1) apply the prover unitary U,» to H, (2) apply the projective measurement (ly), for 
Il, = DI |zXz|z @ Ix (where H = Z & H’), and (3) apply Ut, to H. 


8.2 Partial Transcript Extraction Theorem 


Our most general extraction theorem is stated for any partially collapsing protocol, but is only 
guaranteed to output partial transcripts (rather than a witness). In [Section 8.4| we show how this 
theorem can be used to establish guaranteed extraction of a witness. 


Theorem 8.2. For any 4-message public-coin interactive argument satisfying partial collapsing 


(Definition 3.4)) with respect to the functions fi,...,fk-ı (but not necessarily fg), the procedure 


Extracty has the following properties for any instance z. 


1. Efficiency: For any QPT prover P*, Extract{>” runs in expected polynomial time (EQPT m). 
More formally, the number of calls that Extract}? makes to P* is a classical random variable 
whose expectation is a fixed polynomial in k, X. 


2. Correctness: Extract aborts with negligible probability. 


3. Distribution of outputs: For every choice of (vk,a), let y = Wk,a denote the success 
probability of P* conditioned on first two messages (vk,a). Then, if y > 6/3, the distribution 
of (r1,..., rk) (conditioned on (vk,a) and a successful first execution) is O(1/y)-admissible 


(Definition 5.3). 


8.3 Proof of Theorem 8.2 
8.3.1 Intermediate State Notation 


Our extraction procedure and analysis make use of four relevant registers: 


e A challenge randomness register R, 
e A prover state register H, and 
e A phase estimation workspace register W. 
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e A one qubit register B that contains a bit b where b = 1 indicates that the computation has 
not aborted during a sub-computation. 


We now establish some conventions: 


e states written using the letter p satisfy p E€ S(B®H® R) or p E€ S(H 8 R), where we use 
S(H) to denote the space of Hermitian operators on H; 

e states using the letter ø satisfy o € S(B 8 H & W) or øo € S(H 8 W); 

e states using the letter @ satisfy œ € S(B 8 H) or d € S(H); 

e states using the letter T satisfy T E S(H 8 W 8 R) 


With these conventions in mind, we define some intermediate states related to the extraction 
procedure: 


e Let y denote the prover state after (vk, a) is generated. 
e Let ee denote the state obtained at the end of 
e For each iteration of the [Step 3] loop, we define the following states: 

— Let Pear denote the state at the beginning of[Step 3| The register B is initialized 
to ayil. For the rest of the loop iteration, B is set to |0X0| if the computation 
aborts. 

— Let ee denote the state at the end of 


— Let Gog denote the state at the end of |Step 3b 
— Let Eee denote the state at the end of|Step 3c 
— Let a denote the state immediately before the W register is traced out during 


— Let pan denote the state at the end of|Step 3f 


— Let Pig denote the state at the end of|Step 3g 


As in |Lemma 7.1} let the Jordan decomposition of H ® R corresponding to IIc, Huy be {Sj}; 
where subspace S; is associated with the eigenvalue/success probability p;. Let Th the projection 


onto Sj, i.e., image(II}*) = S;. Define the following projections on H ® R: 
+ DE = Fea TI" 
- I= Z j:pjzp ter 
© 1S = Ljip Wi 
We additionally define the following projectors on B ®H ® R. 
Ma = 1X1, @ US and Mod = IgH, — MBa: 
Claim 8.3. For any estimate p and any state pan such that Tr((Ls Q eeta r) = 1, the 


on Beard obtained by running b + Threshold‘ a (and then redefining p := p — £) and setting 


= = |by/b| satisfies 
c 
T(P uR) <4 
Proof. When Threshold’ 26 returns 0, the computation aborts. Therefore, the lemma follows im- 
mediately from the aiue -projectivity of Threshold ( (Corollary 6.7). O 


55 


8.3.2 Analysis of and 


We first show that [Steps 1]and2]run in expected polynomial time, and bound the statistic E[1/p - 
X |, where p is the output of[Step 2]and X; is the indicator for the event ‘Step 1|does not abort”. 


Lemma 8.4. The expected runtime of[Steps 1| and is O(1). Moreover, 
H/P: X] = 001). 


Proof. Let |w) denote the state of P* after (ck,a) are generated. Then, consider the (U, C)-Jordan 
decomposition 


Y) 8 |+R) = day |v;,1) 


where each |vj,1) € Sj Mimage(Hy). Let y = $}; ajl pj denote the initial success probability of 
l). 


Step l/runs in a fixed polynomial time and aborts with probability 1 — y. Otherwise, |Step 2ļis 
run on the residual state 


1 
i aj Pj |Wj,1) » 
ay 


where |w;1) is a basis vector in S; N image(IIc). tells us that both the runtime of 
VarEstimate©'¥ on this state (making oracle use of C, U) and the expectation of 1/p (where p is the 
output of|Step 2) are at most a constant times 


1 il 1 1 
-X apj: — + 6-1/6 <-) of +1 =-41, 
fa Pj ny y 
so since Pr[Step 1|does not abort] = y, the overall expected value bounds are as claimed. O 


8.3.3 The Pseudoinverse State 


As sa earlier, let ps p denote the state at the end of[Step 3a] (for some arbitrary iteration of 
. We prove some important properties of the subsequent states in the execution of [Step 3} 
z o with |Step 3b| which measures the R register, obtaining a challenge r and resulting 


state EA Let 
i i Jas Tod p$, 7 rood 
Tr(TEaPb hr] 
denote the residual state; we write ps a r = a0 [0X0]; Q NES 9 ay Xil ® pre ) By (Claim 8.3] 
we have that: 


Claim 8.5. Tr( Te Pear) >1-6 
By gentle measurement, it then follows that 
c 
d(oly 7 R? Ps 7 r) < 2V6. 
Let peak = ao [0X0]; Q ay Rm +a |1)(1|, 8 pe ve) where P 1) denotes the state guaranteed 
to exist by applying Lemma 7.1] with B = U and A = C on py} Nes D Recall from that 
Tr (Tue. = = 1, since Teho KC z) = 0. Moreover, we also ie 
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Claim 8.6. u T 
nica) HoPhr Hc 


Proof. py Pe is a state satisfying Tr (He pie: ay = 1, and ses is then a (re-normalized) projection 


of pus D onto (U, C)-Jordan subspaces with bounded Jordan p;-value. Therefore, ey also satisfies 
Tr(Ic rite 3 =1. 
From (Property 2) we then have 


U,1 
dlp OP, Hcp% llc ) <2 Tr (Topi) = 0 
H.R ? Tr (Ic ve a) H,R ’ 


which implies figs i) = = Tico 2 He/ Tr (Icph. R): O 


Finally, because Tr (1k Ta a = 0, Lemma 7.1] (Property 3) tells us that Tr (1k Fp H R) =0 


as well. 
Define py = Tr (Ic Ove a to be the normalization factor above, which is equal to the (C-)success 


probability of pug : 


Claim 8.7. py > p. 


Proof. Since T Py ne = 1 and IIc commutes with each mo, we have: 
U,1 U,1 
Tr (Ic ove G = Tr (cles A 


-z| pre! cpl 


J:pj2P 


or U,1 
=o yy I av 


J:Pj ZP 
=p O 


Since Tr (Huei) = = 1, it can be written in the form on Q |+RX +R]. For each r, we define 


G= T(i vreli (U, i to be the success probability of oy) on r. Finally, define Cr = SO, Gr. 
We now proceed to analyze the state eae To do so, we first define Oey to be the state at 


the end of [Step 3b] when ee is used in place of pls 7 rR- We know that AlO Oe ) < 2Vô, 
so this characterization will suffice. 


Claim 8.8. The state dey is a mixed state with the following form: with probability ao, it is in 
the abort state. Otherwise, with conditional probability ¢-/Cr, |Step 3g| measures challenge r and 


5 Hy rph” Hvr 


the resulting state is |1)(1|, z 
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Proof. By definition of the pseudoinverse state ps Y ne =o Dg |+RX+R], we can write Pin 


nc) _ Hegh” ® |+rX+el)Hc 
HR 7 
Tr(Te($yy" @ |+rX+rl)) 
Since Ic = Xer Hv, ® |rXr|, we can write 


Ici” ® |+aXtrl)Ule = (X Hy ® IrXrl) (bi? 2 |+RX+al) (Do Uv @ [rX 
rER 


(U,1 
=a Y Hyd Myr |rXrl. 
rER 


Thus, we can rewrite p} Ne D a 


c(i” Q |+rXt+r\)\He _ THT rer Tv rb Ivy, ® |rXr] 
Tr(He(by 8 |+aXtel)) T(t Erer Uv hy Hv @ IrXr]) 
TH] Lrer Hyri yr |rXr| 
7 ral mas Çr 


yes Ty. ® |r Xr | 
CR 


Therefore, the probability of obtaining r after measuring R of ne is 


Tr(de Irr) Seer Hvr be) Typ Q IXI) T(r dy” Ily, ® |rXr rl) 
Tooo Go oo 


and the post-measurement state is Ty rb 1) Ily,,. Thus, the state oe is as claimed. 


In particular, (Claim 8.8} tells us that the ratio a is exactly Tr(Icpiy:))) 


Hs H.R) = PU- 
We begin our analysis of the repair step by defining the following states: 
1. D = oy D 9 |0)(0|,,, - Here, pE” is the state satisfying MRS = pE” Ye |OXO|-2- 


1). (U,1 
Da yy Te ie 
By [Claim 8.8|we can view our variant of|Steps 3b] to Belas follows: 
e With probability œo, abort. Otherwise: 


e A challenge is sampled so that each string r occurs with probability & 


e Ifthe string r is sampled, initialize the state to |1)(1|, Q oi 
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DEN 


Unfortunately, the state eave ) only satisfies Tr (Ip, oy os > 1-— ô (it is not quite fully in the 


image of Ip). With this in mind, we define two additional states: 


(U,1) 
~(U,1) Upc wpe : (U,1)\ (U,1) ~(U,1) 
3. Oy w = = TET . Since Tr Weare | = 1-6, we have daaa) < 2/6 
by [Lemma 3.1 


~ (r1) (U,1) 
4. uw = Men I1,./ (1 a 


Let ie = Tr Ta) , and observe that ] elG= 2v8]. Define ČR S ‘2 and py := Cr/|RI. 
HW ER 


Claim 8.9. |py — pu| < 2V6 


Proof. For every string r, we have that 


IG — &l = |THE oi -Ew < 2v5 


since lene Pe ay a wll < 2V5. Therefore, we have that 
R CR 
oe a ee Eae 
IR] [RI 
by subadditivity. o 
Consider the following two mixed states 
DE aa 
TH R,W := — |r > , an 
r CR Gr 
~(U,1) 
h Moy wlr 
Tarw = >) = |ryr] 
r SR r 


We claim that these two mixed states are close in trace distance. 
Claim 8.10. ||r — ||, < 422. 


To see this, we first note that 


z-a =p- Eh 
CR II, CR 
-h-E 
CR 
-h- 2 
Pu 
av 
Pu 


Moreover, we have that 


= l l 
T- siz == |S [rXr| @ T, (of — EERI, 
R I |4 | 
[R| (U1) _ =(U,1) 
Leo Oh, =o 
~ GR lonw — Hwlh 
< eh 2/5 
CR 
_ 2vő 
Pu 


Thus, we conclude that ||7 — T||1 < Bo + aa < to by the triangle inequality. 
This trace bound will allow us to analyze correctness and bound the expected runtime of the 


extractor by appealing to properties of the state T. 


8.3.4 Runtime Analysis 
In this section, we bound the expected running time of Ext (proving property (1) of Theorem 8.2). 
Theorem 8.11. For any QPT P*, Ext?” runs in EQPTm.- 


We note that already showed that the expected running time of [Steps 1] and [2] is 
O(1) calls to (U,C). 

Next, we show that the expected runtime of the main loop (Step 3) is also poly(A). To prove 
this, we make use of the syntactic property (enforced by the definition of that for every 
i € {0,1,...,k}, the state je at the beginning of the ith iteration of [Step 3]is in image(IIc) 
(provided that the computation has not aborted). We then show 


Lemma 8.12. Let p be an arbitrary real number output by|Step 2, and let pee be an arbitrary 


non-aborted state (i.e. B is initialized to |1)(1|,) that is in the image of Ic. 
Then, the expected runtime of one iteration of|Step 3| on pean is poly(A)/p. 


Proof. We analyze the running time assuming that the collapsing measurement of is not 
performed. This is without loss of generality; the steps following the (partial) collapsing measure- 
ment have a fixed runtime (as a function of previously computed parameters in the execution), so 
the collapsing measurement cannot affect the overall expected running timel?4| 

First, note that and run in a fixed poly(A)/,/p time by Thus, we 


focus on and Bel 
We bound the expected runtime of|Steps 3c| and Bel via the following hybrid argument. 


e Hyby: This is the real procedure, assuming that |Step 3d]is not performed. 


e Hyb,: In this hybrid, the ?-measurement outcome and residual state een is prepared dif- 
ferently: 


?8We only remove the collapsing measurement of the current loop iteration; previous collapsing measurements are 
„init 


baked into the (arbitrary) state pa 
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— With probability a9, abort. Otherwise: 
— The challenge r is sampled with probability equal to ¢,/Cr. 


— If the string r is sampled, initialize the state to |1)(1|, @ Bee e, 


This is an alternate description of the state ee 
e Hyb.: In this hybrid, the state at the beginning of (which is usually ose, ® |0X0|,,)) 
is prepared differently: 


— With probability ag, abort. Otherwise: 


— A challenge is sampled so that each string r occurs with probability Ge / Č R 

— If the string r is sampled, initialize the state to al yy. 
Claim 8.13. The expected running times of Hyby, Hyb; differ by at most O(k), and the expected 
running times of Hyb, and Hyb, differ by at most O(k/p). 


Proof. The worst-case running time of Ext is bounded to be k/ V6 by definition. We will combine 
this with trace distance bounds to prove the claim. 

For Hyby and Hyb,, we note that the running time of and [3e] can be viewed as a 
classical distribution over integers obtained via applying a CPTP map to the input state, which 


(C) (C) 


is either Pyr OY Ppr Since trace distance is contractive under CPTP maps, we conclude 
that these integer distributions are 2V/6-close in statistical distance. Since (as integers) they are 
(k/\/6)-bounded, we conclude that their expectations differ by O(k). 

The argument is similar for Hyb, and Hybs, except that the running time of [Steps 3¢| and Be] 
can instead be viewed as a classical distribution obtained via a CPTP map from either 7 or T, 


which have trace distance at most vd < < 42. O 


Thus, it suffices to bound the expected runtime in the procedure Hyb»s. 

Without we can view and [Be] as a variable-runtime Transform?r?%.<.5 with 
respect to the projectors (II,, H,,-), where r is sampled from the above distribution. We first analyze 
the runtime of this procedure for a fixed value of r. 

Let Jor, = mer denote the Jordan measurement corresponding to projections (II,, Mpe), 


and let qj denote the eigenvalue associated with m Define the Jordan weights of ay) w as the 


Jsir 


vector (yj°")j where 


J JE as J r = (U) 
a a 


"i where 


Then, the Jordan weights of ay be w are (z 
ay es 


Claim 8.14. Given the string r and state Oe ay as input, to make an expected 
poly(A) - Ve calls to Ilp and Il. 
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Proof. By {Theorem 6.4} the expected running time (in number of calls to II, Hp,<) of toBel 


Jorr 


on a state with Jordan weights CR ene is 


Jor Jor 
ys” ly(A uy” 
j Gr VG j Cr Qj 
= poly(A),/= 
A 
This completes the proof of [Claim 8.14 O 


By [Claim 8.14] along with the fact that Ip is implemented in a fixed poly(A)/ „P time, the 
expected running time of to Belin Hyb» is: 


Cr _ poly(A) _ poly(A DES 
a Jeep vP 2 JG 
ĠG 1 


poly(A) Gr 
VP rER CR Gr 
_ Poly(A) /IRI 
VP CR 
_ poly) /1 
VP \ Pu 
poly(A) 
~ \/p(p — 2v5) 
poly(A) 
< = (3) 


where the first inequality is an application of Jensen’s inequality, the second inequality holds by 
Claim 8.9} and the last inequality holds by the abort condition in|Step 2| (p drops by a factor of at 
most 2 in the entire process). 


This completes the proof of [Lemma 8.12 
o 


Finally, combining with along with the fact that throughout the ex- 
traction procedure, the updated value of p is at most a factor of 2 smaller than the initial output 
of [Step 2} we conclude that the overall expected running time of [Step 3]is at most E[poly(A)/p] < 
poly(A), completing the proof of [Theorem 8.11] 


8.3.5 Correctness of the repair step 
In this section, we prove that Extract aborts with negligible probability (property (2) of[Theorem 8.2). 


Lemma 8.15. The probability that the procedure aborts is negligible. 
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Proof. By the probability that the procedure aborts because it ran for too long is 
O(poly(d)/V5) = negl(). 

By(Lemma 8.4] E[1/p-X] = O(1), where X is the indicator for whether[Step l]outputs 1. Hence 
by [Claim 8.16] (proven below) and (which implies that the first iteration of 
only aborts with negligible probability), the probability that any iteration of the loop aborts when 


we remove|Step 3dlis at most 


k- O(V6)E[1/p - X] = O(v). 


Then by the collapsing guarantee (applied to the measurements of y1,..., Yķ—1; it is not necessary 
for yp), and by[Theorem 8.11] the probability that any iteration of the loop aborts is negligible. O 


Claim 8.16. Let p E S(H ® R) be a state such that Tr(IIcpy.R) = 1, and consider running two 
iterations of|Step 3| in sequence on pyr, with the following modifications: 


e is not applied, and 
e The O(k)/V6 runtime cutoff has been removed. 


Then, for any choice of p € [0,1], the probability that the first iteration (with initial value p) does 


not abort in|[Step 3a| and the second iteration aborts in|Step 3a] is at most O(vV6/p). 
Also, the probability that an iteration of|Step 3| (where|Step 3d| is not applied) does not abort in 


but does abort in|Step 3g| is at most O(v 8/p). 


Proof. For a projector I, we write II® to denote the projection 
|0X0|, @ 1+ |1X1|, @ IL. 


Let B store the output of Threshold in the first application of Recall that in [Section 8.3.3 
we have defined the following states: 


. ee denotes the state after applying |Step 3al (i.e., coherently applying Threshold to PpH,R 
where the output is stored on B). The extraction procedure now re-defines/updates p := p—e. 


Note that T(E 054.) > 1-— ô (Claim 8.5). 


c 
. Pn = py seen |b)3 /q where q := Tr ( (dl, eres ig): We may assume q > 0 or else 


the claim holds trivially. 


BC) 


[Jor [Jor B 
° AS a= (1S) Pear (Mp) is the result of projecting p£? r onto eigenvalues > p (for the 
17eg Jor (C) we 
m m) Pa 


Jordan decomposition corresponding to Ic, Huy) when B = 1. 


(onl C C,1 C,1 
° pe = G a |1)g /q' where q' := Tr( (Ils Pik |1)g). Note that Te(iepkr ) =1. 


. pa 9 denotes the pseudoinverse of pay 


doinverse lemma (Lemma 7.1); by definition, Tr (Tlu poe) = 1. Moreover Tr (Hc ote a >p 


(Claim 8.7) since all the (IIc, Huyu)-Jordan-eigenvalues of Paa are at least p, which implies 


the same property holds for the pseudoinverse state. 


with respect to (U,C) as guaranteed by the pseu- 
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- op = Trr(pye): Note that since Tr (Tues: R) = = 1, we have Py. R= oH ® H(+lr- 
opis) = S vroi Hy, @lrXrl 
HG |R|- Tr (Tico R) 

R register in [Step 3b] but before discarding R (Claim 8.8). 


° Gee = oy D o [0X0]y. We have that Tr(Mp,50H, | > 1 — ô because Threshold, - 5 


outputs 1 on ie with probability 1 — 6 by the Jordan spectrum guarantee of 


is within trace distance 2/6 of the state after measuring the 


~(U,1) , Tp 2,50 Ù Diy e5 


© Gy y= ipea ty By the gentle measurement lemma (Lemma 3.1), we have dof Dg 
: DE 
[OO , z T < 2V5. 


1,¢) qr, L 
. a = = where Cr := Ta) for allre R. 


© THWR I= Dor Sow ® |r\r| for ČR = D ¢.. By [Claim 8.10] we have that Ty w,R is within 


Mi 1(3b,1) 


trace distance of the state T = pyr ® |0)O|y) 


We now consider the application of the variable-runtime singular vector transform performed 


across [Steps 3c] and [Be] (recall that we omit [Step 3d] for this analysis). We consider applying these 
steps to the state A Note that [Steps 3c] and Be] commute with Mjor[D;, Gp.-,5]. Hence writing 


cae for the state after applying [Steps 3c| and Bel to ey we have 
~(U,1 
a ee, 
Gr 


be defined (analogous to TIHO" 


stuck 


ae( m3" afg5) = (meak) - 


where als is the j-th element of Mjo-[D;, Gp e,5]. Let ie 


Gp <,5 Stuck 


n (Claim 7.2) as M = Dyes i where S is the set of all j where S; is a one-dimensional 


stuck *_ 
Jordan subspace S; € image(I—I],,-.5). We now invoke [Claim 7.2]to “rotate” the state B 1) into 


image(II,,-,5) while preserving the Jordan spectrum, which is possible as long as the component of 
the state in Me ee is 0. This is satisfied here because ire aot a) = Tr r (Tea alw) = =0 
since CREN was defined so that Tr (Mp, g akw) =1. 


Additionally, by the guarantee of|Theorem 6.4| Tui DE poy "i > 1-6. Hence by [Claim 7.2] 
there exists a state al a) with the same Jordan spectrum as e's ” Ty (Th; g E w) = ] and 
d(o Ge ey m1) )) < V6. Note that covey nD also has the same Jordan spectrum of Oi, 


Consider the pseudoinverse state 5 On) under (D;., Gp<,5) of oy nu, Since the Jordan spectrum 


a(S r mD ~(U,1) . 


of o € image(II,-5) is identical to the Jordan spectrum of By € image(II,), and & Ti w is 


the a under (Gp e,5, Dr) of an it follows that 


Th Wai) = Tr(IL.6 Fi) = = 
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a mD) = Ipes W Ipe,8/ r: 


Hence, if the state before [Step 3cļis >>, saky P (which is a close to the actual state before 
Step 3c) then the state after [Step 3eļis OVA- close to the mitten state: 


een —t = Mes (@ prd) ies 


Therefore, writing al mD or) ml) g [OO] yy) Ce has this form since aay He image(II,)), 


the state at the end of [Step 3fjis — to 


poh eA! = A m C MÌ i 


rER 


and moreover Th 


where Mpe, is the measurement element of Tp, that corresponds to a 1 outcome. 
By the guarantee of Threshold (Theorem 6.2), it holds that for all states @ € S(H), 


(Us Mp5? Mies) <4, 


and so by linearity, 


ne!) = E I nG Mes (BP) A) 
rER 
ee: -|R| -8 
ČR 
ô 
6 4 
"n (4) 
= O(6/p), 


where |Eq. (4) [Eq. (4)] )| holds by [C [Claim 8.9] It follows from the guarantees of the fixed-runtime singular 


vector transform (Theorem 6.1) that the state at the end of [Step 3g] is O(d)-close to the state 


pie) = Transform, —-[U > Bex BI) o |+rRX+r|R), which has the property a 


Tr((I— Te TES ($4 @ |+n\(trle)) <6. 


Combining this with Tr re Pa Gf, Hya O(ô/p), we conclude that if the state before[Step 3c]is 


D A a D then the eah that[Step 3glaborts is at most O(8/p). Additionally, the guarantee 
R 


of Teeshold (Charan GD 2) implies that in the next iteration of|Step 3| the probability that [Step 3a] 
aborts on ain ) is also at most O(6/p). By a trace distance argument, the probability that [Step 3g] 
or the subsequent aborts in a real execution of (with the modifications as in the 
statement of when the first [Step 3a] did not abort is at most O(v6 /p). This completes 
the proof of O 
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8.3.6 Correctness of Transcript Generation 


Finally, we prove property (3) of [Theorem 8.2 


Lemma 8.17. For every Tpre = (vk, a), let Y = ka denote the initial success probability of P* 
conditioned on Tpre. Then, if y > 6/3, the distribution Dy on (r1,..., rg) (conditioned on (vk, a) 


and a successful first execution) is O(1/y)-admissible (Definition 5.5). 


This follows by appealing to the following claim in each round, making use of the fact that the ex- 
pectation of 1/p conditioned on an accepting initial execution is equal24 to 1/7; the O(V0)-closeness 
from the claim also degrades to O(V/6/7) when conditioning on an accepting initial execution. 


Claim 8.18. Consider the distribution D supported on RU{1} obtained running a single iteration 
of [Step 3] with parameter p on an arbitrary state p E S(H 8 R) with Tr(Icp) = 1 (where r := L 
if Extract aborts). There exists a procedure Samp that makes expected O(1/p) queries to uniform 
sampling oracle Op (but can otherwise behave arbitrarily and inefficiently) that outputs a distribu- 
tion O(V5)-close to D, and if the output of Samp is not L then is one of the responses to its oracle 
queries. 


Proof. Samp initially behaves similarly to Extract: apply Threshold,-.5 to p; if Threshold outputs 
0 then output L. Let pee be the state after applying Threshold, and (as in Extract) re-set 
p:=p—E. 


(U, Kc 1) 


Tror (C) TyJor 
ak (1s) "eB ben (OS) Let Pur 1) be the pseudoinverse of pyp = 


As before, let Ppgynr = 
ars (a 
lg pase [Dal TOs pean |1) B) as guaranteed by the pseudoinverse lemma (Lemma 7.1). 
Teper 
We have by[Lemmas 3.1ļand[7.I]that dP HR PEHR) < 2\/5 and pat = s omn . Finally, 
T R 


7 
write pp = Oy” @ Hite: 
Samp now behaves differently than Extract. Samp “clones” ow 1) (recall that Samp can be an 
arbitrary function) and repeats the following until b = 1: query Op, obtaining r € R; on a fresh 


copy of N me measure whether the verifier accepts on challenge r (i.e., (Ivy, I — Hy,,)), obtaining 
bit b. Output r if b= 1. 

Let py = Tick”); we have that pu > p by [Claim 8.7| Hence, the expected number of 
queries Samp makes is 1/p. Observe that py is the probability that a uniform r is accepted. Let 


ON Te(1v-ot ri d Çr is the probability that r is accepted. Then, for every r* € R, 
= PH a jected] P = r*,r* ted] = Ņ (1- pu)" -25 =—_. 
Ja r[r1,..., rn rejected] Pr[rn}1 = r*,r* accepted] 2 pu) Rl > po JR] 


(C1), 


Consider now the distribution on r obtained by measuring R on state php : for every r* 


Tr(|r*Xr"| Hep) Thivy) e 
pu pu: |R] pu ` |R] 


Pr[r = r*] = T( ee FA C ie 


?°Here (and elsewhere) we informally make use of the fact that the “current” value of p in any iteration of [Step 3 
is always at least po/2, where po is the initial estimated p. 
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` * * x * * x U,1 * x U,1 x x 
since (Iq ® |r*Xr* Ic = Hyp ® |r*)(r*] and Xl peg X= yoy? ® lr*Xr* le. 
Overall, D is obtained by measuring (6, R) on the state ee which is O(\/5)-close to ener 
the claim follows by contractivity of trace distance. 


Having established properties (1), (2), and (3), we have proved [Theorem 8.2 


8.4 Obtaining Guaranteed Extraction 


In this section, we combine the guarantees of [Theorem 8.2] with additional analysis to prove that 
all of the example protocols from have guaranteed extractors (additionally assuming 
partial collapsing where necessary). We remark that handling the graph isomorphism subroutine 
requires a slight modification of the which we detail below. 

We begin with a general-purpose corollary of for the case of protocols satisfying 
(k, g)-PSS in addition to fi,..., fk-ı-partial collapsing (which was assumed in 
[Theorem 8.2). 


Corollary 8.19. Let (Ps, Vs) be a 3- or 4- message public coin interactive argument with a con- 
sistency function g: T x (R x {0,1}*)* > {0,1}, and let fi,..., fk be functions. Suppose that: 


e The protocol is partially collapsing with respect to fı,..., fk-1, and 
e The protocol is (k,g)-PSS for some k = poly(A). 
Then, one of the two following conclusions holds: 


1. The extractor from composed with the PSS extractor PSSExtract satisfies guar- 
anteed extraction, OR 


2. The extractor from [Theorem 8.2] outputs a k-tuple of partial transcripts (r1, Y1,..-,Tk, Yk) 
such that g(Tpre;, T1, Y1, ---,Tk, Yk) = 0 (the transcripts are inconsistent) with non-negligible 
probability. 


Proof. Suppose that conclusion (1) is false, meaning that there exist infinitely many » and a 
constant c such that the extractor from has an accepting initial execution but the 
call to PSSExtract fails to produce a witness with probability at least 1/A°. We know that the 
[Theorem 8.2]extractor aborts with negligible probability, so we also assume that the extractor does 
not abort here. Then, by an averaging argument, with probability at least i over the distribution 
of (vk,a), the above event conditioned on (vk,a) holds with probability at least zł. This in 
particular implies that Wwk,a (as defined in [Theorem 8.2) is at least i for these choices of (vk, a). 
Then, property (3) of [Theorem 8.2] implies that the distribution of (r1,...,r%) is admissible for 
these choices of (vk,a) (and choices of A). Thus, the (k,g)-PSS property of (Ps, Vs) implies that 
for every such (vk, a), the k-tuple of partial transcripts must be inconsistent with probability at least 
se (as otherwise PSSExtract would succeed with 1 — negl probability). Therefore, assuming that 
conclusion (1) is false, the probability that the k-tuple of transcripts output by the 


extractor are inconsistent is at least aE for infinitely many A, implying conclusion (2). o 


Finally, we apply |Corollary 8.19| to obtain guaranteed extractors for all of the [Section 5.3] ex- 


ample protocols (along with a general result for k-special sound protocols). 
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Corollary 8.20. If (Ps, Vs) is (fully) collapsing and k-special sound, and |R| = 2“(°8), then the 
protocol has guaranteed extraction. 


Proof. Since (Ps, Vs) is k-special sound and |R| = 22008A), we know that the protocol is (k, g)- 
PSS for the “trivial” transcript consistency predicate g. Therefore, |Corollary 8.19] applies to this 
protocol (where the extractor sets fı =... = fe = Id). However, conclusion (2) of |Corollary 8.19 


cannot happen because the consistency predicate of PSSExtract in this case simply checks that the 
transcripts are accepting, which is guaranteed by the fact that (rj, yi = zi) was a measurement 
outcome of a state in IIc. Oo 


Corollary 8.21. If (Ps,Vs) is a commit-and-open protocol (Definition 5.11] satisfying commit- 


and-open k-special soundness and R = 2”(8) (either natively or enforced by parallel repetition), 
and the commitment scheme is instantiated using a collapse-binding commitment [Unr16b/, then 
the protocol has a guaranteed extractor. 


Proof. Under the hypotheses of the corollary (along with and [5.7), the protocol satis- 
fies either (k,g)-PSS (if it has a natively superpolynomial challenge space) or (k? log? (A), g)-PSS 
(if parallel repeated; see [Lemma 5.8), where g is a predicate that enforces the constraint that all 
opened messages are consistent with each other. We set fi = ... = fk = f where f(z) out- 
puts the substring of z corresponding to the opened messages (and not the openings). Then, the 
[Theorem 8.2]extraction procedure does not violate g-consistency by the unique-message binding of 
the commitment scheme (shown in [Lemma 4.2). Thus, [Corollary 8.19] implies that (Py, Vs) has a 


guaranteed extraction procedure. O 
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Corollary 8.22. Kilian’s succinct argument system |Kil92], when instantiated using a collapsing 
hash function and a PCP of knowledge, has a guaranteed extraction procedure. 


Proof. We know from the succinct argument system is (1) (fully) collapsing, 
and (2) (k,g)-PSS for k = poly(n, à) and g defined so that when z; and z; contain overlapping 
leaves of the Merkle tree, the leaf values are equal. We set f; = ... = fk = Id, and observe 
that the[Theorem 8.2]extractor does not violate g-consistency, because if it output two transcripts 
(r1, 21), (r2, 22) with inconsistent leaf values, since the transcripts are accepting (they were obtained 
by measuring a state in IIc), this would violate the collision-resistance (implied by collapsing) of 


the hash family. Thus, by|Corollary 8.19} the protocol has a guaranteed extractor. O 


Corollary 8.23. The one-out-of-two graph isomorphism subroutine has a guaranteed extraction 
procedure that extracts the bit b (when Go and G are not isomorphic). 


Proof. By (Claim 5.10] this protocol is (2, g')-PSS where g’ is the following asymmetric function: 


e For the first partial transcript (Tore, r®, cD), g’ checks that for all i such that r; = 0, 
(Ho,i, Hii) are isomorphic to (Ga),G,_.a)). 


e For the second partial transcript (Tpre, rO, c), g additionally checks that for all 7 such that 
ri =1, H, is isomorphic to H. 


We define the following pair of functions fi, fo: 
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e fi(Tpre, 7, Z) outputs the following substring of z. For every i such that r; = 0, the substring 
includes the bit c; (where z; = (Ci, 00,i,01,))- 


© fo(Tpre, T, Z) Outputs the substring c (the distinguished single bit of each z;). 


We note that the graph isomorphism subprotocol is f;-collapsing; this follows from the fact that for 
any accepting transcript (Tpre, 7, Z), the bits c; (for r; = 0) are information-theoretically determined 
as a function of (Go, G1, Hoi, H1,i). 

Thus, if we instantiate the [Theorem 8.2]extractor using (f1, f2) (note that we require no prop- 
erties of f2) we have that [Corollary 8.19] applies. Moreover, g/-consistency of the transcripts output 
by the extractor is not violated, because it is formally implied by the fact that they were ob- 
tained by partially measuring a state in IIc (any accepting partial transcript (r;,c;) satisfies the 
condition checked by g’). Thus, we conclude that the protocol has a guaranteed extractor by 
Corollary 8.19 O 


9 Expected Polynomial Time for Quantum Simulators 


We introduce a notion of efficient computation we call coherent-runtime expected quantum poly- 
nomial time (EQPT,). We then formalize a new definition of post-quantum zero-knowledge with 
EQPT, simulation. 


9.1 Quantum Turing Machines 


We recall the definition of a quantum Turing machine (QTM) of Deutsch [Deu85]. A QTM is a tuple 
(£, Q, ô, qo, qf) where F is a finite set of symbols, Q is a finite set of states, 6: Qx X > Cex=x{-L 015 
is a transition function, and qo, qf are the initial and final (halting) states respectively. 

We fix registers Q containing the state, Z containing the position of the tape head, and 7 
containing the tape. A configuration state of a Turing machine is a vector |q,i,T) € Q@T@T 
where q € Q is the current state, i € N is the location of the tape head, and T € &* is the (finite) 
contents of the tape. 

A transition is given by the map Us, which acts on basis states as follows: 


lq, t, T) e 5 5 5 Qq' ,a,d,b ld’,i + d, Tisa) 


q'EQ a€¥ de{—1,0,1} 


where ô(q, Ti) = Xy ad %q',a,d/7; a, d). 6 is a valid transition function if and only if Us is unitary. 
The definition of QTMs generalises to multiple tapes in the natural way. We will consider QTMs 
having a separate input/output tape on register A (with head position in Zin). 

The execution of a T-bounded QTM proceeds as follows. 


1. Initialize register Q to |qo), Z,Zin to |0), and T to the empty tape state |Ø). 
2. Repeat the following for at most T steps: 


(a) Apply the measurement Hs = (\a¢Xa¢|,I— lapel) to Q. If the outcome is 1, halt and 
discard all registers except A. 


(b) Apply Us. 
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The output M(p) of a QTM M on input p € S(A) is the state on A when the machine halts. 
The running time tmy(p) of M on input p is the number of iterations of|Step 2| Note that both 
of these quantities are random variables. 


Definition 9.1. The expected running time Em(n) of a QTM M is the maximum over all n-qubit 
states p of E[t,;(p)|. A T-bounded QTM M (for some T < exp(n)) is EQPT,, and there exists a 
polynomial p such that Em(n) < p(n) for all n. 


9.2 Coherent-Runtime EQPT 


Definition 9.2. A D-circuit is a quantum circuit C with special gates {G;,G;'})*_, with the 
following restriction: for each i, there is a single G; gate and a single G; | sate acting on a 
designated register ¥;, where G; acts before Got. All other gates may act arbitrarily on Yat, Xi, 
for some register Y. For any CPTP maps ®;: S(¥;) > S(4;), C[®1,..., B4]: SV 8 QE X) > 
S(V @ QË ¥;) is the superoperator defined as follows: 
1. For each i, U; be a unitary dilation of ®;. That is, let Z; be an ancilla Hilbert space and Us 
unitary on ¥; Q Z; such that ®(o0) = Trz,(Ui(o ® 10X0] z,)UŻ) for all ø € S(¥;). 
2. Construct a circuit C’ on Y 9 QE (X; Q Zi) from C by replacing G; with U; and G7 + with 
u! for each i. 
3. Let C be the superoperator p> Trz(C’(p ® QE [0X0] z,)). 


Since all choices of U; are equivalent up to a local isometry on Z;, the map C[®,...,®,] is well- 
defined. 


We are now ready to define our notion of coherent-runtime expected quantum polynomial time. 


Definition 9.3. A sequence of CPTP maps {®,}nen is a EQPT, computation if there exist a uni- 
form family of D-circuits {Cn }nen and EQPT,, computations M1, ..., Mp such that Ch| Mi, ..., Mz] = 
®,, for all n. 


We show that any EQPT, computation can be approximated to any desired precision by a 
polynomial-size quantum circuit. We first show the following claim. Let |init) = |qo)9 10, Ozz, |2)-7- 


Claim 9.4. Let M be a T-bounded QTM running in expected time t, and let U be the unitary 
dilation of M as in|[Fig. 2 For all y: N + (0,1), there is a uniform sequence of unitary circuits 
{Va}n of size poly(n)/y(n)? such that for every unitary A on A and state |) € A: 


(U1. @ AU — VEL A)Va) |) linit) [0”) || < a(n). 


Proof. Let V be the unitary given by truncating U to just after the 7-th iteration of Us, where 
T := [t/477]. Let I := Picea TT e, Br Observe that for every state |w), 


TIU; W) linit) 07) g = IV; |) linit) 10717-7), 


because II projects on to computations that finish in at most 7 steps, and once the computation 
finishes, the remaining CNOTy, gates flip the corresponding B; from 0 to 1. 
Moreover, for every state |¢) €E A® Q8W and z € {0,1}’, 


Us |e) |al 7) = Vi |e) x0"), 
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since the applications of Us controlled on B,41,...,67 act as the identity and the CNOTy 7 gates 
acting on 6,41,...,6r7 flip the corresponding register from 1 to 0. Hence 


Ut (I @ A)TIU |) linit) |07),, = VIU @ A)TyV |x) |init) |07),. 


The claim follows since, by Markov’s inequality, 


1007 |) linit) JO") s|| < Vt/r <e(mp/2. o 


Lemma 9.5. For any EQPT, computation {®n}n and e€: N > (0,1], there is a uniform sequence 
of (standard) quantum circuits {Cn}n of size poly(n,1/e(n)) such that d(®n(p), Cn(p)) < eln) for 
all p. 


Proof. Let D, be a D-circuit and Mj,...,M, such that ®, = Dn| M1, ..., Mp], and let Un be the 
unitary circuit obtained by replacing each Gi, G7! with the corresponding coherent implementation 
of M; as in Let Uj, be as Un, but where the G;-gates are replaced with unitaries V; as 
guaranteed by [Claim 9.4] with y(n) := e(n)/k. The circuit C, is obtained by initializing the 
ancillas to |init) |07),, applying U/,, and then tracing out the ancillas. 

We make use of the fidelity distance dr, defined in to be 


dp(p,o) = inf{|||%) — IØ): 14), |¢) purify p, ø, respectively}. 


Wat06] shows that dr(p,0) > d(p,o0). We can choose the purifications Un |Y) |init) |07) of ®, 
and U! |Y) |0) of Cn. By [Claim 9.4] and the triangle inequality, the distance between these states 
is at most e(n). oO 


9.3 Zero Knowledge with EQPT. Simulation 


Given our definition of EQPT, above, we now formally define zero-knowledge with EQPT, simulation 
for interactive protocols. 

For an interactive protocol (P,V), let outy«(P,V*) denote the output of V* after interacting 
with P. 


Definition 9.6. An interactive argument is black-box statistical (resp. computational) post- 
quantum zero knowledge if there exists an EQPT, simulator Sim such that for all polynomial-size 
quantum malicious verifiers V* and all (x, w) € Rz, the distributions 


outy=(P(x,w),V*) and Sim” (x) 


are statistically (resp. quantum computationally) indistinguishable. 


10 State-Preserving Extraction 


So far, we have constructed EQPT,,, guaranteed extractors for various protocols of interest 
and established the EQPT, model that allows for state-preserving extraction (Section 9). In this 
section, we prove a generalization of showing how to convert a EQPT,, guaranteed 
extractor into a state-preserving EQPT, extractor. 
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In [Section 10.1] we write down an explicit reduction from state-preserving extraction to guar- 
anteed extraction and prove [Lemma 10.3] which gives a condition under which 
the reduction is valid (intuitively capturing “computational uniqueness” of the witness given the 
first message of the protocol). Then, in [Section 10.2] we show examples to which [Lemma 10.3] ap- 
plies; namely, protocols for languages with unique (partial) witnesses and general commit-and-prove 


protocols. Finally, in [Section 10.3] we conclude [Theorems 1.6] and [1.7] 


10.1 From Guaranteed Extraction to State-Preserving Extraction 


We first recall our definition of state-preserving proofs of knowledge (Definition 1.5). 


Definition 10.1. An interactive protocol II is defined to be a state-preserving argument (resp. 
proof) of knowledge if there exists an extractor Ext with the following properties: 


Syntax: For any quantum algorithm P* and auxiliary state |), Ext? I?) outputs a protocol 
transcript T, prover state |’), and witness w. 


Extraction Efficiency: If P* is a QPT algorithm, EY) runs in expected quantum poly- 
nomial time (EQPT,). 


Extraction Correctness: the probability that 7 is an accepting transcript but w is an 
invalid NP witness is negligible. 


State-Preserving: the pair (7, |v’)) is computationally (resp. statistically) indistinguishable 
from a transcript-state pair (7*, |7)*)) obtained through an honest one-time interaction with 
P*(-, |w)) (where |7*) is the prover’s residual state). 


We now introduce the notion of “witness-binding” protocols, i.e., protocols that are collapse- 
binding to functions of the witness w. For an adversary Adv and an interactive protocols (P,V) 


Adv 


we define a witness-binding experiment Exp(\,”(b, Pred, f, A) parameterized by a challenge bit b, a 
predicate Pred and a function f. 


1. 


The challenger generates the first verifier message vk and sends it to Adv; skip this step if the 
protocol is a 3-message protocol. 


. Adv replies with a classical instance x, classical first prover message a, and a quantum state 


on registers Wwitness © Vaux: 


. The challenger performs a binary-outcome projective measurement to learn the output of 


Pred(a, vk, a,-,-) on Wwitness ® Vaux. If the output is 0, the experiment aborts. 


. If b = 0, the challenger does nothing. If b = 1, the challenger initializes a fresh ancilla K 


to |0),, applies the unitary Uy (acting on Wwitness ® K) that computes f(-) on Wwitness and 
XORs the output onto K, measures K, and then applies GL. 


. The challenger returns the Wyitness D Vaux registers to Adv. Finally, Adv outputs a bit 0’, 


which is the output of the experiment (if the experiment has not aborted). 
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Definition 10.2 ((Pred, f)-binding to the witness). A 3 or 4-message protocol is witness bind- 
ing with respect to predicate Pred and function f if for any computationally bounded quantum 
adversary Adv, 


| Pr[ Expag’ (0, Pred, f, A) = 1] 2 Pr [Epe (1, Pred, f, A) = 1| < negl (A). 


Next, we write down a general-purpose reduction from state-preserving extraction to guaranteed 
extraction and show (Lemma 10.3) that the reduction is valid under an appropriate witness-binding 


assumption. 


Lemma 10.3. Suppose that (Ps, Vs) is a post-quantum proof/argument of knowledge with guar- 
anteed extraction. We optionally assume that the extractor Extract’ outputs some auxiliary infor- 
mation y in addition to the witness w. We then make the following additional assumptions with 
respect to a predicate Pred: 


e The protocol (Ps,Vs) is (Pred, f = Id)-witness binding, and 


e The tuple (w,y) output by the guaranteed extractor Extract’ satisfies Pred(vk, x,a, w, y) = 1 
with 1 — negl probability. 


Then, (Ps, Vs) is a state-preserving proof/argument of knowledge with EQPT, extraction. 


Remark 10.4. This lemma is stated with respect to f = Id to match the state-preserving proof of 
knowledge abstraction; however, we also consider (Corollary 10.7) versions of this reduction where 
f # ld. 


Proof. We want to show that (Ps, Vs) is a state-preserving proof/argument of knowledge. We 


begin by describing our candidate state-preserving extractor Extract 


Construction 10.5. Let Extract?” be a post-quantum guaranteed extractor (Definition 8.1). We 


present an EQPT, extractor Extract’ that has the form of an EQPT, computation (see |Fig. 1) 
where the unitary U is a coherent implementation of the following EQPT,, computation on input 
register HOR Q S: 


1. Measure R & S with the projective measurement 


((+rX+rlr 8 l0)0|s:1- |+rX+rlr 8 10X0]s). 
If the output is 0, abort. 


2. If the output is 1, we are guaranteed that R S is |+r}g ® |0)s. Run Extract” ” on prover 
state H using R as the superposition of challenges (in [Step 2] of [Definition 8.1). We assume 
that the randomness Extract” uses to sample a classical random vk is generated by applying 
a Hadamard to a subregister of S. 


Write everything that is measured/obtained during the execution of Extract” ” onto subreg- 
isters of S. This includes the instance x, the first two messages of the 4-message protocol 
(vk, a), the bit b indicating the verifier’s decision (i.e., whether the prover succeeds when run 
on the uniform superposition of challenges), and the extracted output (w,y) (ifb=1, w is a 
valid witness for x and Pred(z,vk,a,w,y) = 1 with 1 — negl(A) probability). 
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The fact that the above computation is in EQPT, follows from the fact that Extract?” is EQPT,,. 
Let U denote its coherent implementation (as in [Section 9| U is a unitary on H @ R & S and an 
exponential-size ancilla register). 


Our state-preserving EQPT, extractor Extract. takes as input a prover state on H and does 
the following. 
Extract 


1. Initialize additional registers R Q S to |+R)p |0).5. 

2. Apply U. 

3. Measure the subregister of S containing (x, vk, a,b, w) where w = 0 is interpreted as L. Note 
that S contains a subregister corresponding to y, but y is not measured here. 

4. Apply Ut. 

5. Run the prover P* on first message vk to obtain x,a (again). Then run P* on challenge R. 
Measure R to obtain r, and measure the register of H corresponding to its output to obtain 
z. Output (x, vk,a,r,z,w) and H. 


First, we note that the above procedure is EQPT, by construction. To prove the extraction 
correctness guarantee, it suffices to show that when b = 1, the witness w is valid with 1 — negl(,) 
probability, and that when b = 0, the extractor outputs a rejecting transcript. The former statement 
follows immediately from the assumption that Extract?” is a guaranteed extractor. For the latter, 
observe (using the definition of Extract?” and the fact that U is a coherent implementation of 
Extract” D that when b = 0, the state on H Q R after running P* to obtain a in [Step 5| corresponds 
to a rejecting execution, so the transcript measured in [Step 5] will be rejecting. 

It remains to argue that the state-preserving extractor satisfies the indistinguishability prop- 
erty. Observe that Extract’ can be rewritten so that vk, x,a,6 are no longer obtained by running 
Extract’ coherently as U and then measuring those values afterwards, but instead by running 
those steps accroding to the standard EQPT,,, implementation of Extract”. Thus the only part 
of Extract’ that is written as a coherent implementation of a variable runtime procedure is the 
FindWitness’” subroutine; let Upw denote the coherent implementation of FindWitness’ . Note 
that while FindWitness’ is technically not EQPT,, on its own (i.e., there exist inputs that could 
make it run for too long), the fact that Extract?” is EQPT,,, ensures that Upw is only applied on 
inputs where it runs for expected polynomial time. 

Given the above definitions, the output of Extract. is perfectly equivalent to the following: 


1. Sample a random vk, and run the prover P* to obtain x,a. 

2. Initialize R to |+R)g and measure C (this is the binary projective measurement on H 8 R 
defined in[Section 8.0.1]that measures whether the verifier accepts when the prover with state 
H is run on the challenge R). 

3. If C = 1, apply Urw. Otherwise if C = 0, set w = L and skip to [Step 6] 

4. Measure the subregister corresponding to the part of the output of Urpw containing w. Note 
that there is also a subregister corresponding to y, but y is not measured. 

5. Apply ese 

6. Measure R to obtain r and run the prover P* on r to obtain its response z. 

7. Output (x, vk,a,r,z,w) and H. 


Let Hybrid be identical to Extract’ except that [Step 7|is modified to output (a, vk, a,r,z) and 
H (i.e., omitting w). To show computational indistinguishability, it suffices to show that the output 
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of Hybrid) is computational indistinguishable from Hybrid, defined as follows: 


1. Sample a random vk, and run the prover P* to obtain 2, a. 

2. Initialize R to |+R)g and measure C (this is the binary projective measurement on H 8 R 
defined in[Section 8.0.1]that measures whether the verifier accepts when the prover with state 
H is run on the challenge R). 

3. Measure R to obtain r and run the prover P* on r to obtain its response z. 

4. Output (x, vk,a,r,z) and H. 


Hybrid, corresponds to an honest execution of P* since the measurement of C commutes with 
the measurement of R. 

By assumption, in Hybridg, the reduced density ps of S satisfies Tr(Ivaliiaps) = 1 — negl(A), 
where Ivaliq checks that either b = 0 or (1) w is a valid witness for x and (2) Pred(vk, z,a,w,y) = 1. 
Therefore, the indistinguishability of Hybridg and Hybrid, should intuitively follow from the witness- 
binding property, since if the measurement of w is skipped, then Upw cancels out with ce 
However, to appeal to the guarantee that measuring w is undetectable, we need to ensure that Urpw 
corresponds to an efficient operation. 

We handle this by considering a fixed polynomial-time truncation of Upw. Suppose that a 
distinguisher can distinguish Hybrid, from Hybrid, with non-negligible advantage ¢(A). Then we can 
modify Hybridg to use Urw,-, a coherent implementation of a strict poly(A, 1/e)-runtime algorithm 
that approximates FindWitness” to precision e/2. Now the same distinguisher must distinguish 
between Hybridy . and Hybrid; with advantage ¢/2, where Hybrid. is the following: 


. Sample a random vk, and run the prover P* to obtain x, a. 

. Initialize R to |+pR)z and measure C. 

If C = 1, apply Urw,-. Otherwise if C = 0, set w = L and skip to[Step 6 
Measure a subregister of the output register of Urw,- to obtain w. 

. Apply Uus 

. Measure R to obtain r and run the prover P* on r to obtain its response z. 
. Output (x, vk,a,7r,z) and H. 


Nou Rwne 


Since e(A) is at least 1/A° for some constant c for infinitely many A, it follows that Urw,- and 
Uiw - are poly(A)-runtime algorithms for infinitely many A. Then a distinguisher that distinguishes 
between Hybrid > and Hybrid, contradicts the witness-binding property of (P, V). o 


10.2 Applying |Lemma 10.3 


We now show that the witness-binding hypotheses in [Lemma 10.3| are satisfied in two cases of 
interest: protocols for unique-witness (or partial witness) languages (Corollary 10.6), and commit- 
and-prove protocols (Corollary 10.8). 


Corollary 10.6. Let L € UP be a language with unique NP witnesses. Then, if L has a post- 
quantum proof of knowledge with guaranteed extraction, it also has a post-quantum state-preserving 
proof of knowledge. 


Proof. This follows immediately from the fact that any protocol for a UP language is (Pred, f)- 
witness binding for Pred = 1 (the trivial predicate) and f = Id (because there is a unique valid 
witness). Since Pred = 1, any guaranteed extractor also satisfies the Pred-hypothesis of[Lemma 10.3] 
so we are done. o 
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We briefly state how |Corollary 10.6} can be extended to languages L with unique partial wit- 


nesses, provided that the extractor only measures a function f(w) that is a deterministic function 
of the instance x. 


Corollary 10.7. Let L € NP, and let f be an efficient function such that for all instances x € L 
and all witnesses w € Ry, f(x,w) = g(x) is equal to some fixed (possibly inefficient) function of x. 

Suppose that L has a proof/argument of knowledge (Ps, Vs) with guaranteed extraction. Then, 
a modified variant of Extract (Construction 10.5), in which only f(x,w) is measured instead of w, 
is a state-preserving proof/argument of knowledge extractor for (Ps, Vs) that outputs g(x). 


This holds by the same reasoning as |Corollary 10.6} the hypothesis of |Corollary 10.7| implies 
that any protocol for L is (Pred = 1, f)-witness binding, and so the reduction from [Lemma 10.3 
applies (when f(z, w) is measured rather than w). 


10.2.1 Commit-and-Prove Protocols 


Let (Ps, Vs) denote a post-quantum proof/argument of knowledge with guaranteed extraction 
(Definition 8.1). Recall that [Definition 8.1] has been designed to capture (first-message) adaptive 
soundness, in which the prover P* can adaptively choose the instance x as it sends its first message. 

Then, we consider a commit-and-prove compiled protocol (Pcom, Vcom) using (Ps, Vs) and a 
commitment scheme Com. (Pcom, Vcom) is executed as follows: 


e Vcom sends a first message for (Ps, Vs) (if the protocol has four messages). Moreover, if Com 
is a two-message commitment scheme, Vcom sends a commitment key ck. 


e Pcom then sends: 


— A commitment com = Com(ck, w) to a witness w for the underlying language L, and 


— A first prover message for an execution of (Ps, Vs) for the statement “Jw,r such that 
com = Com(ck, w;7) and w is an NP-witness for x € L. 


e Pcom and Vcom then complete the execution of (Ps, Vs). 


Corollary 10.8. If (P5,Vs) is a post-quantum proof/argument of knowledge with guaranteed ex- 
traction for all NP languages and Com is a collapse-binding commitment scheme, then the commit- 
and-prove compiled protocol is a state-preserving proof/argument of knowledge. 


Proof. We first remark that since (Ps, Vs) is a post-quantum proof/argument of knowledge with 
guaranteed extraction, the commit-and-prove composed protocol is also immediately a post-quantum 
proof/argument of knowledge with guaranteed extraction. Namely, Extract” " interprets the cheat- 
ing prover as an adaptive-input cheating prover for (Ps, Vs) with respect to the language 


Lek,com = {(w,w) : w E€ Ry and Com(ck, w;w) = com} 


and runs the guaranteed extractor for (Ps, Vs). Morevoer, this extraction procedure outputs both 
an NP-witness w and commitment randomness w such that com = Com(ck, w;w); we treat w as 
auxiliary information y. 

We then define Pred(x, (ck, vk), (com, a), w,w) to output 1 if and only if Com(ck, w;w) = com. 
Then, we observe that the commit-and-prove protocol is (Pred, Id)-witness binding (for the language 
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L) by the collapse-binding of the commitment scheme Com. Moreover, the correctness property of 
Extract?” further guarantees that Pred(z, (ck, vk), (com, a), w,w) = 1 with probability 1 — negl(A). 

Thus, we conclude that [Lemma 10.3]applies, and so the commit-and-prove protocol has a state- 
preserving extractor. oO 


10.3 Concluding [Theorems 1.6] and 
Finally, we describe how to conclude the results of[[Theorems 1.6]and[I.7]} We begin with[Theorem 1.6} 


re-stated below. 


Theorem 10.9 (Theorem 1.6). Assuming collapsing hash functions exist, there exists a 4-message 
public-coin state-preserving succinct argument of knowledge for NP. 


Proof. Given a collapsing hash function family H, we construct a state-preserving succinct argument 
of knowledge for NP as follows: 


e First, we define Kilian’s succinct argument system (see [Section 5.3.3) with respect to H. 


By |Corollary 8.22| this argument system is a post-quantum argument of knowledge with 
guaranteed extraction. 


e Next, we apply the commit-and-prove compiler (Corollary 10.8) using the collapse-binding 
commitment scheme Com(ck = h,m) = h(m). This commitment scheme does not formally 


satisfy any hiding property, but it is succinct, which is what is relevant for [Theorem 1.6 


Corollary 10.8} tells us that the resulting composed protocol is a state-preserving argument of 
knowledge for NP. Moreover, it satisfies all of the properties (4-message, public-coin, succinct) 


claimed in the theorem statement. O 
Next, we prove [Theorem 1.7| re-stated below. 


Theorem 10.10. Assuming collapsing hash functions or super-polynomially secure one-way func- 
tions, there exists a 4-message public-coin state-preserving witness-indistinguishable argument (in 
the case of collapsing) or proof (in the case of OWFs) of knowledge. Assuming super-polynomially 
secure non-interactive commitments, there exists a 3-message PoK achieving the same properties. 


Proof. All three variants of this theorem are proved via the same approach: combining commit- 
and-prove with a (strong) witness-indistinguishable /-protocol. 

Formally, let Com denote a (possibly keyed) non-interactive commitment scheme. We use Com 
to instantiate a commit-and-open %-protocol such as the |GMW87] protocol for 
graph 3-coloring or the (potentially modified) protocol for Hamiltonicity. We do a sufficient 
parallel repetition of the commit-and-open protocol so that its challenge space satisfies |R| = 2° 
for t < poly(A}? and it achieves negl(A) soundness error. Then, [Corollary 8.21] tells us that this 
protocol is a post-quantum proof/argument of knowledge (depending on whether Com is statistically 


or collapse-binding) with guaranteed extraction. 
Next, we additionally assume (as is the case for [|GMW87] |Blu86]) that the }-protocol satisfies 
special honest-verifier zero knowledge (Definition 3.6). In fact, we assume that it satisfies SHVZK 


Using [Blu86], one can set t = poly(log A). 


77 


against quantum adversaries that run in time 2- poly(A), which holds (for these examples) provided 
that Com is computationally hiding against 2° - poly(A)-time adversaries. 

Under this assumption, Watrous’ rewinding lemma |Wat06] implies that the =-protocol has a 
time 2 - poly(A) malicious verifier post-quantum simulator. 

We now plug this 4-protocol into the commit-and-prove compiler (Corollary 10.8), again making 
use of the commitment scheme Com (for simplicity of the proof, we assume here that a different 
commitment key is used, although this is not necessary). [Corollary 10.8] tells us that the resulting 
protocol is a state-preserving proof/argument of knowledge (again depending on whether Com is 
statistically binding). 

It remains to show WI of the commit-and-prove protocol. That is, we want to show that for 
every malicious verifier V* (and maliciously chosen commitment key ck), a commitment com = 
Com(ck, w1) and the view of V* in an execution of the -protocol is computationally indistinguish- 
able from the analogous state when a second witness wə is instead used. This is argued via the 
usual hybrid argument: 


e Define Hybridg, to be Com(ck, w) along with the actual %-protocol view of V*. 


e Define Hybrid, ,, to consist of com = Com(ck, wp) along with a 2‘-poly(A)-time simulated view 
of V* on input (ck,com). We have that Hybrid, , ~e Hybrido p by the super-polynomial time 
simulatability of the =-protocol (as discussed above). 


e Finally, we have that Hybrid; 9 ~c Hybrid, ı by the (already assumed) 2° - poly(\)-hiding of 
Com. 


To conclude the theorem statement, it suffices to instantiate Com in three ways: 


e Assuming % - poly(A)-secure non-interactive commitments (e.g. [BOV03) (GHKW17 [LS19}), 


one obtains the claimed 3-message protocol. 


e Assuming % - poly(A)-secure one-way functions, one obtains the OWF-based 4-message pro- 
tocol. 


e Assuming polynomially-secure collapsing hash functions, one obtains the collapsing-based 4- 
message protocol by defining Com(h, m; r, s) = (h(r), s, (r,s) @m). This commitment scheme 
is statistically hiding (i.e. hiding against unbounded adversaries), and so WI of the commit- 
and-prove protocol holds unconditionally, while the AoK property relies on collapsing. 


This completes the proof of [Theorem 1.7 O 


11 The |GMW86] GNI Protocol is Post-Quantum Zero Knowl- 
edge 


In this section, we show that our state-preserving extraction results imply the post-quantum ZK 
of the graph non-isomorphism protocol, proving [Theorem 1.2} We begin by giving a description 
of the GNI protocol in Our description achieves soundness error 1/2 (as does the orig- 
inal [GMW86]), but can be extended to the negligible soundness case (without increasing the 
number of rounds) with essentially the same proof of (post-quantum) ZK. 
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P(Go, G1) V(Go, G1) 


H, {Gio,Girhiem) 1 Sn, be {0,1}, H = (Ge) 
bi... bn + {0,1} 
Vi € [n], 8 € {0,1}: 
Tig 4 Sn, Gig = Ti p (G p+) 


v + {0,1}" Y ' 
{mi }ie{n] If vi = 0, set mi = bi, 7,0, Ti, 
If Ui = 1, set Mi = b ($>) bi, Ti bpb; O rt 
b 


If v; = 0, for Mmi = bi, Ti 0, Ti, 1, check: 
(Tro (Gio), My (Gi1)) = (Go, Gi—o;). 
If v; = 1, for m; = ci, 0, check: 

o(H) = Gic. 


Accept if b’ = b. 


If the check fails, abort. 
Otherwise, find b’ such that Gy œ H. 


Figure 8: The Zero Knowledge Proof System for Graph Non-Isomorphism. 


Next, we give a slightly more abstract description of the protocol using instance-dependent 


commitments |BMO90} [IOS97| MVO03|. 


Construction 11.1. Fix a language L, let IDC be a non-interactive instance-dependent commit- 


ment} BMO90)} |[OS97,|MV03] for L, and let PoK be a statistically witness-indistinguishable proof 
of knowledge of the committed bit for IDC. Then, we define the following interactive proof system 
for the complement language L. 


1. The verifier commits to a bit b € {0,1} using IDC and sends it to the prover. 
2. The prover and verifier engage in PoK where the verifier proves knowledge of b. 
3. If the prover accepts in PoK, then it sends b’ as determined by the verifier’s commitment. 


4. The verifier accepts if b = b. 


iMW 86] instantiates this framework for the language L consisting of pairs of isomorphic graphs 
(and so L consists of pairs of non-isomorphic graphs, up to well-formedness of the string zx). 

Let GIComm be the following instance-dependent commitment scheme: GIComm((Go, G1), b; 7) = 
n(Gy) := H. Observe that if Go, G1 are isomorphic then this commitment is perfectly hiding, and 
if they are not then it is perfectly binding. Moreover, this commitment scheme admits a proof of 
knowledge of the committed bit as follows. 


1. The prover chooses };,...,b, € {0,1} uniformly at random and sends commitments Ci; o = 
GlComm((Go, G1), bi; cio) and Cj,1 = GlComm((Go, G1), bi ® 1; 04,1). 


31That is, when z € L, a commitment Com(x,m) statistically hides the message m. When x ¢ L, a commitment 
Com(x,m) statistically binds the committer to m. 
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2. The verifier sends a random string v € {0,1}. 


3. The prover sends b; and opens Cj,9, C;,1 for all i such that v; = 0. The prover sends c; := b®b;, 
Ti = Tia? a+ for all i such that v; = 1. 


4. The verifier accepts if the received openings are valid when v; = 0, and Cie; = 7(H) when 
vi = 1, where H is the commitment graph. 


Classically, we obtain b by rewinding to find two accepting transcripts with v; Æ vi; then 


Lemma 11.2. If (Go,Gi) are non-isomorphic then the above protocol is a statistically state- 
preserving proof of knowledge of the committed message for GIComm. 


Proof. We have already shown that this protocol has a guaranteed extractor, be- 
cause when Go and G4 are not isomorphic, this protocol is collapsing onto the b; part of 0-challenge 
responses (as b; is fixed by the commitments Cj,9,Cj,1) and the protocol is (2, g)-probabilistically 
special sound (where g checks (for the first challenge-partial response pair) the correctness of the 
0 challenge response bits b; for vi = 0 and (for the second challenge-partial response pair) the 
correctness of all b; (v; = 0) and c; (vi = 1)). 

Moreover, the language Lg,,.g, = {H : 4(b,7) such that 7G, ~ H} has partial unique witnesses: 
for any H € Le ,G,, the bit b is uniquely determined (given that Go and Gj are not isomorphic). 
Thus, the state-preserving reduction of applies (see [Corollary 10.7), so this protocol 


has a state-preserving extractor. O 


Finally, we note that [Lemma 11.2] immediately implies that the GNI protocol is post-quantum 
(statistical) zero knowledge. We assume without loss of generality that the cheating verifier V* has 
a “classical” first message by replacing V* (with auxiliary state |w)) with (V*,p) for the mixed 
state p obtained by running Uy» on |w) to generate a first message, measuring it, and running 
Olas 

The simulator is then described as follows: 


e Given cheating verifier V* with classical first message (com, pok,), run the state-preserving 
PoK extractor on V* (which now acts as a PoK cheating prover). 


e Ifthe transcript generated by the state-preserving extractor is accepting, then output the bit 
b in the “partial witness” slot of the extractor’s output. Otherwise, send an aborting message. 


The (statistical) zero knowledge property of this simulator follows immediately from the state- 
preserving property of the extractor. Moreover, the simulator inherits the EQPT, structure directly 
from the extractor (with additional fixed polynomial-time pre- and post-processing). This completes 


the proof of [Theorem 1.2 


12 The |FS90| Protocol is Post-Quantum Zero Knowledge 


We recall the Feige-Shamir 4-message zero knowledge argument system for NP. This protocol uses 
three primitives as building blocks: 
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e A non-interactive commitment scheme Com. 


e The 3-message WI argument of knowledge AoK constructed in [Section 10.3} We note that 
AoK is public-coin. 


e A 3-message delayed-witness WI argument of knowledge dAok. 


We will argue security using the particular instantiations of AoK, dAoK due to subtleties arising 
from the concurrent composition. Unlike AoK, we do not require that dAoK is state-preserving. 
The protocol is executed as follows. 


e The verifier sends the following strings as its first message: 


— Two commitments co, c; generated as c; = Com(0;7;) for ii.d. random strings r;. For the 
post-quantum variant, following [Unr12)|Unr16b], we additionally include commitments 
c; = Com(r;; pi) to the two random strings 79,11. 


— A first (prover) message of AoK corresponding to the statement “Ji, r;, p;i such that 
ci = Com(0;r;) and c = Com(r;; pi)? By default, the verifier uses (b, Ty, pp) as its 
witness for a randomly chosen bit b. 


e The prover sends two strings as its first message: 


— A second (verifier) message of AoK (which is a uniformly random string). 


— A first (prover) message of dAoK corresponding to the statement “x € L or Ji, ri, pi such 
that c; = Com(0;7r;) and c; = Com(r;; p;).” No witness is required. 


e The verifier sends two strings as its second message: 


— A third (prover) message of AoK, computed using (b, rp, pp). 


— A second (verifier) message of dAoK (which is a uniformly random string). 


e Finally, the prover sends the third message of dAoK. The prover uses a witness w for x € L 
to generate this message. 


12.1 Building Block: Delayed-Witness Proofs of Knowledge 


In order to instantiate the Feige-Shamir protocol, we need a post-quantum instantiation of dAoK. 
In particular, we need: 


Lemma 12.1. Assume that post-quantum non-interactive commitments exist. Then, there exists 
a delayed-witness Si-protocol for NP that is witness indistinguishable against quantum verifiers and 
is a post-quantum proof of knowledge with negligible knowledge error. 


does not immediately follow from extraction techniques such as Lemma 
7] or because the canonical delayed-witness “-protocol is not collapsing, and 
these works only give results for collapsing protocols. Nonetheless, we show that (similar to the 
one-out-of-two graph isomorphism subprotocol of [GMW86]) making use of a variant (2, g)-PSS 
(Definition 5.6), a simple modification of Unruh’s rewinding technique suffices to prove 
Lemma, 12.1 
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12.1.1 The |LS91]| Protocol 


We begin by recalling the [LS91| “-protocol for graph Hamiltonicity. The protocol uses a non- 
interactive commitment scheme Com as a building block, and is executed as follows. 


e The prover, given as input the security parameter 1* and an input length ir B3 sends A 
commitments com; to adjacency matrices of i.i.d. random cycle graphs on n vertices (i.e., 
graphs H; = 0;C,, that are random permutations of a fixed cycle graph on n vertices). 


e The verifier sends a uniformly random string r + {0,1}. 


e For the third round, the prover is given a graph G and a fixed n-cycle represented by a 
permutation 7 mapping Cn to G. The prover then sends the following messages. 


— For each 7 such that r; = 0, the prover sends a full opening of the ith commitment com;. 


— For each i such that r; = 1, the prover sends o;7~! and opens the substring of com; 
consisting of commitments to each non-edge of aj7~!(G). 


e For each i such that r; = 0, the verifier checks that com; was correctly opened to the adjacency 
matrix of a cycle graph. For each 7 such that r; = 1, the verifier checks that every matrix 
entry opened is a valid decommitment to 0. 


By the perfect binding of Com, we know that this protocol satisfies 2-special soundness. In fact, it 
is the parallel repetition of a protocol satisfying 2-special soundness: for any index 7, a commitment 
string a; along with a valid response zp to r; = 0 and a valid response zı to r; = 1 can be used 
to compute a Hamiltonian cycle in G. Indeed, it satisfies a variant special soundness (implicitly 
related to (2, g')-PSS) described here: 


Claim 12.2. There exists an extractor SSExtract(a,r1, 2%), r2, 22,1) for the [LS91] protocol such 
that SSExtract outputs a valid NP witness under the following conditions: 


e rii = 90,724 = 1. 
© (4i,72,1, 22,1) is an accepting transcript. 


Fi such that (ai, T1 i, 21) is an accepting transcript. 


e There exists a response z1; rwith prefix zí h 


Here, z“) denotes the part of a response z consisting of the messages opened (but not the commit- 
ment randomness). 


Moreover, we note that the protocol is partially collapsing on 0-challenges: given a tuple (z, a,r) 
and a state |¢) = >>, az |z), any accepting response z; such that r; = 0 can be partially measured 
— namely, the committed bits (but not the openings) can be measured — without disturbing |}. 
This is sufficient to prove [Lemma 12.1 


32Note that the prover does not even need to know the instance x to compute this message; however, we consider 
an a priori fixed statement x to make sense of the proof-of-knowledge property. 
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12.1.2 Proof of |Lemma 12.1 


The fact that this protocol is witness indistinguishable follows from the fact that it is a parallel 
repetition of a post-quantum ZK protocol [Wat06]. What remains is to establish the proof-of- 
knowledge property. 

We consider the following variant of Unruh’s approach to knowledge extraction [Unr12): 


1. Given a cheating prover P*, first generate a (classical) first message a from P*. Let |y) 
denote the internal state of P* at this point. 


2. Sample a uniformly random challenge r, compute the P* unitary U,.|~), which writes its 
response onto some register Z. Apply the one-bit measurement (Ily,,, I — Hyp) that checks 
whether V(z,a,r,z) = 1. 


3. If the measurement returns 1, additionally measure every register ZY) (the opened messages, 
but not the commitment randomness) corresponding to r; = 0. 


4. Apply Uj to the prover state. 


5. Sample an independent random challenge r’ and apply U,. Apply the one-bit measurement 
(Iy ; I- Ivy). 


6. If the measurement returns 1, additionally measure the entire response Z. 


7. If both measurements returned 1, and there exists an index i such that r; = 0 and r; = 1, 
compute SSExtract(x, com;, 0, z0, 1, 24) where 2) is the first partially measured response in 


location i and z} is the second measured response in location i. Otherwise, abort. 


To show that this extraction procedure works, we first consider the variant in which no response 
measurements are applied (Step 3 and Step 6 are omitted). Then, by Unruh’s rewinding lemma 
Lemma 7], if U, |v) produces an accepting response with probability at least € (over the 
randomness of r), then the two binary measurements applied above will both return 1 with prob- 
ability at least ¢?. Then, by the fact that the protocol is partially collapsing on 0-challenges, this 
continues to hold even if the measurement in Step 3 is applied. 

Finally, since the probability that ii.d. uniform strings r,r’ do not have an index i such that 
rj = 0 and ri = 1 is (3/4)* = neel(A), we conclude that with probability £ — negl(\), the above 
extractor produces partial accepting response 2) and accepting response z for some i such that 
ri = 0 and r; = 1, and so SSExtract successfully outputs a witness. If P* is convincing with initial 
non-negligible probability y, then with probability at least 3, |w) is at least 3-convincing, and 
so SSExtract outputs a valid witness with probability at least Q(7*). This completes the proof of 
Lemma, 12.1 


12.2 Proof of Security for the |[FS90| protocol 
We now prove the security of the Feige-Shamir protocol using suitable building blocks (Com, AoK, dAok). 


Theorem 12.3. Suppose that: 


e Com is a post-quantum non-interactive commitment scheme, 
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e AoK is the 3-message state-preserving WI proof of knowledge for NP (with EQPT, extraction) 
from 


e dAoK is the argument system from|Lemma 12.1 


Then, the Feige-Shamir protocol is both sound and zero-knowledge against QPT adversaries. The 
zero-knowledge simulator is EQPT,.. 


Combining [Theorem 12.3] with the results of Section 10) implies [Theorem 1.3 
We remark that the theorem is non-generic with respect to AoK, dAoK due to complications in 
the security proof coming from the fact that AoK and dAoK are executed simultaneously. 


Proof. We first prove soundness, followed by ZK. 


Proof of Soundness. Suppose that x ¢ L and P* is a QPT prover that convinces V with non- 
negligible probability. Given such a P*, we define a cheating prover Pj,,, for the underlying dAoK 
that is given as additional auxiliary input strings (co, Ch, C1, C4, b, Tb, pb) such that cy = Com(0; ra) 
and c, = Com(rp; pè). Piao Simply emulates P* while generating AoK messages using its auxiliary 
input. That is: 


e Pix generates a message aok; using its auxiliary input and calls P* on (co, cp, c1, ch, aok1). 
This results in a P*-message (aok2,daok;). PřŁok returns daokı. 


e Upon receiving a verifier challenge r, Pj,,x computes an honestly generated message aok3 
Geen es and independent of r) using its auxiliary input and calls P* on (aoks,7r). 
This results in a P*-message daok3, which Pj,,, outputs. 


If the auxiliary input (co, Ch, C1, C4, b, rb, pb) is sampled from the correct distribution, Pf, , 
perfectly emulates the interaction of P* and the honest Feige-Shamir verifier, so Pj,,x is convinc- 
ing with non-negligible probability € by assumption. Thus, the dAoK knowledge extractor from 
Lemma 12.1] outputs a valid witness for the statement “Ji, ri, pi” such that c; = Com(0;r;) and 
c = Com(r;; pi)” with probability at least Q(e°). 


Claim 12.4. The probability that the dAoK extractor succeeds and i # b is also Q(e°). 


Proof. If this is not the case, then we obtain an algorithm breaking the WI property of AoK. For a 
fixed statement (co, cp, c1, c4), the algorithm Vj,,x, given an honestly generated message aok;, calls 
(aok2, dAoK;) + P*(co, cy, c1, c4, aok1) and returns the message aok. Given a fixed response aoksz, 
Viaok emulates the dAoK extractor from [Lemma 12.1] by sampling i.i.d. strings r,r’ for dAoK and 
re-using the message aok3. Then, if the extractor returns a valid witness (7,7;, pi), Viaox returns 
the bit i. If not, Vgajx. guesses at random. 

Since this faithfully emulates the execution of the dAoK extractor on PřŁok and we assumed 
that it succeeds with probability Q(e?), we conclude that the WI property of AoK with respect. to 
Vi{aok implies the claim. O 


331f randomness is required to generate this message, let it be fixed in advance in Pj,,,’s internal state. 
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e Construct a first message daok; using the honest dAoK prover algorithm. 


e For fixed classical strings (co, cp, c1, c4, aok1, daok;), define an AoK cheating prover Psk 
with the following description: 
— Send aokı 
— On challenge s, call V* on (s,daok;). Upon receiving (aok3,r), return aokg. 
e Run the state-preserving extractor Extract’ Ack’42°1-? outputting the (unique possible) 
witness td along with a Px,,-view (which includes a V*-view in it). 


e If the output witness is L, send an aborting final message. Otherwise, compute daok3 
using td. 


Figure 9: The Feige-Shamir protocol simulator 


However, this implies that the dAoK extractor breaks the computational hiding property of Com. 
This is because if cj» were instead sampled as Com(1;r1_») and c_,, sampled as Com(r1_»; p1—b), 
it is information theoretically impossible for the dAoK extractor to output a witness such that i Æ b. 
This concludes the proof of soundness. 


Proof of ZK. We assume without loss of generality that the cheating verifier V* has a “classical” 
first message (co, Ch, ¢1,¢,,a0k,) by replacing V* (with auxiliary state |~)) with (V*, p) for the 
mixed state p obtained by running Uy« on |W) to generate a first message, measuring it, and 
running U, i 

By the construction of AoK (see and we know that the tuple 
(co, Cp, C1, C,,a0k1) uniquely determines a witness td = (b, r», pẹ) that the AoK extractor can ever 
output (if such a witness exists; otherwise, we define td to be L). We non-uniformly include td in 
the description of the V* state p without loss of generality (this does not affect the simulator, only 
the analysis). 

Our black-box zero-knowledge simulator is defined in 

We claim that this achieves negligible simulation accuracy. We prove this via a hybrid argument: 


e Hyby: This is the simulated view of V*. 
e Hyb,: This is the same as Hybo, except that daok is computed using an NP-witness w for zx. 


e Hyb»: This is the real view of V*. 


The indistinguishability of Hyb and Hyb, follows immediately from the state-preserving prop- 
erty of AoK, as the view of PĂ x contains an entire correctly emulated view of V*. 

The indistinguishability of Hyb; and Hybg follows from the witness indistinguishability of dAoK. 
To prove this, we assume for the sake of contradiction that Hyb, and Hybp are distinguishable by a 
polynomial-time distinguisher D with non-negligible advantage £. Then, we construct the following 
two additional hybrids: 
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e Hybj: This is simulated view of V*, except that Extract is replaced by a poly(A, 1/e)-size 
oracle algorithm that achieves accuracy $. 


e Hyb: This is the same as Hybg except that daok3 is computed using an NP-witness w for x. 


By a hybrid argument, we conclude that D also distinguishes Hybg and Hyb with advantage 
e/2. We claim that this breaks the witness indistinguishability of dAoK. Define a dAoK verifier 
Visok Operating as follows 


e Vinox has the state p as auxiliary input (including co, cp,ci,c,,a0ki,td). Via, wants to 
distinguish between proofs using witness w and proofs using witness td. 


e Vinok receives daok; from the prover. It then calls (the ¢/4-truncated) Extract” ok 420K p 
which returns a Pao,-view. Vua ox sends the challenge r from the Pa,,-view to the prover. 


e Finally, upon receiving daok3 from the prover, Vga, outputs the emulated V* view. 


Viaok has been constructed to be (aux-input) QPT, and (along with the distinguisher D) violates 
the WI property of dAoK, giving the claimed contradiction. 

We conclude that the Feige-Shamir protocol is ZK, as desired. We note that the zero-knowledge 
simulator inherits the EQPT, structure of the AoK state-preserving extractor (with some additional 
fixed poly-time pre- and post-processing). O 


13 The [GK96| Protocol is Post-Quantum Zero Knowledge 


In this section we show that the Goldreich-Kahan constant-round proof system for NP is post- 
quantum zero knowledge by giving an EQPT, simulator. In we give a technical lemma 
about the distinguishability of certain purifications that will be of central importance in the proof. 
In we describe our quantum simulator. 


13.1 Indistinguishability of Projections onto Indistinguishable States 


Consider the states |m) := X, |) |Do(x))y where Do, Dı are computationally indistinguishable 
(w.r.t. quantum adversaries) efficiently sampleable classical distributions with random coins x (in 
a slight abuse of notation, D, denotes both the distribution and the sample). If we are only given 
access to V, then distinguishing |7)) from |7,) is clearly hard since Trx(|7»)(7»|) is equivalent to a 
random classical sample from Ds. 

In this subsection, we show that this indistinguishability generically extends to the setting 
where we additionally give the distinguisher access to the projection |D,)(Dp| on X & VY. This is 
formalized by giving the distinguisher an additional one-qubit register O and black-box access (see 
to the unitary Up and its inverse acting on ¥ & V ® O defined as 


Up = |DoXDolx y ® Xg + (x,y — |DoXDol xy) 8 Ig, 


where Xg denotes the bit-flip operator on B. In particular, it is no longer the case that access 
to |7) is equivalent to a random classical sample from Dp, since the distinguisher’s access to Up 
means the ¥ is no longer independent of its view. Nevertheless, we prove the following. 
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Lemma 13.1. If there exists a polynomial-time quantum oracle distinguisher SY without direct 
access to X achieving 


[Pr[s¥(|Do)x,) = 1] - Pr[S°(|D1) x.y) = 1]| = 1/poly(), 


then there exists a polynomial-time quantum algorithm S that distinguishes classical samples from 
the distributions Do and Dı 


Our proof will make use of two results by Zhandry |Zhal2\|Zhal5|, which we restate here for 
convenience. In the following, quantum oracle access to a function f : X — Y refers to black-box 
access to the unitary that maps |x) |y) > |x) |f(x) @ y) for all x,y. 


Theorem 13.2 (Theorem 1.1 of [Zha12]). Let Do and D, be efficiently sampleable distributions on 
a set Y, and let X be some other set. Let Oo and O: be the distributions of functions from X to 
Y where for each x E€ X, Op(x) is chosen independently according to Dy. Then if A is an efficient 
quantum algorithm that can distinguish between quantum access to the oracle Oo from quantum 
access to the oracle O1, we can construct an efficient quantum algorithm B that distinguishes 
classical samples from Do and Dı. 


Theorem 13.3 ({Zhal5]). An efficient quantum algorithm cannot distinguish between quantum 
access to an oracle f implementing a random function X — X and an oracle m implementing a 
random permutation X + X. 


Proof. By Theorem 1.1], it suffices for us to show that if there exists a distinguisher SU» 
that distinguishes |Do)y y from |D1) y y can without directly accessing the ¥ register, then there 
is an algorithm to distinguish between quantum oracle access to Do o f and Dı o f (where Dp o f 
is the composed function D;(f(-))) where f : X —> X is a random function. 

By [Zhai5], we observe that it suffices to show that 5%? implies an algorithm to distinguish 
between quantum oracle access to Do o m and D, 07 for a random permutation 7: X > X. 

Given quantum oracle access to D, o m, we can implement a unitary Vp, that maps |0) x,y to 
the state |Den) = do, |) |Dp(m(x))) as follows: apply a Hadamard to 4’, then apply the D, o m 
oracle to ¥ @ V. 

We can hence use S to distinguish b = 0 from b = 1 as follows. We prepare the state |Dp,7) xy 
using Vps. Using Vp, we can also implement the operation 


Ub, = |De nX Do z| ® Xg + (I — |De zX Deo, z|) ® Is 


as follows: apply Vie to ¥ @Y, apply |0X0|y y 8 Xg + (I— |0)0|y y) 8 Is, then apply Ubs. We 
can therefore run $Y.7 | Dy z). 

Since SY does not act on ¥ except via its oracle, and |Dp) is related to |D» =) by a unitary 
acting on ¥ only, it holds that 


Try (S"*(|DorXDorl)) = Tex (S”(|DeXDsl)), 


which completes the proof. O 
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13.2 Quantum Simulator 


We begin by describing a variable-runtime EQPT,,, estimation procedure that will be a useful 
subroutine in our quantum zero-knowledge simulator for [GK96]. Following let 
VarEstimate and Transform be the first and second stages of the variable-runtime singular vector 
transform (vrSVT). For binary projective measurements A, B, C on A, we define a “estimate-disturb- 
transform” procedure EDT{A, B,C]. Intuitively, this procedure first uses VarEstimate to compute 
an upper bound on the running time of Transform[A — B], but then disturbs the state with the 
measurement C before running Transform[A —> B]. However, to ensure that VarEstimate does not 
run for unbounded time, the input is first “conditioned” by applying B followed by A, and only 
proceeding if both measurements return 1. 

Formally, the procedure takes an input state on A and does the following: 

EDTA, B,C]: 

1. Apply B to A, obtaining outcome b1. 

. Apply A to A, obtaining outcome b2. 
If bı = 0 or b2 = 0, stop and output (0, L). 
Otherwise, run VarEstimates[A = B] on A, obtaining classical output y. 
. Apply C to A, obtaining outcome c. 
. Run Transform, [A — B] on A. 
. Output A and (1,c). 


Let EDTIA, B,C] denote a coherent implementation of this procedure. 
Claim 13.4. For any efficient measurements A,B,C, EDT{A, B,C] is EQPT,,. 


Proof. Since EDT[A, B, C] commutes with Mj,,[A, B], it suffices to analyze its running time for states 
contained within a single Jordan subspace. Let |q);) = a|wj1) + 8 |w;o). Then 


Pr[b; = bə = 1] = la|? Pr[A( |w;,1)) = 1] < Pj. 


Note that C does not affect the running time of Transform. Hence the expected running time of 
this procedure on |w;) is 


O((p; - log(1/5) /,\/pj + 1) - (ta + tg)) = O(log(1/6) - (ta + tp)). 
It follows that this procedure is EQPT,,. o 
We define the states and measurements used in the simulator. 


e For r E€ R, let |Sim,) = Sex Len |a) |SHVZK.Sim(r; p)). 

e Let Msim ‘= (Isim, I a Isim), where Isim = = IrXr| 8 [Sim,)X{Sim, | QI. 
e Let Mr := (I1,)rer, where II, := Use rXr|r Uy». 

e Let Moom ‘= (Heom, I — Icom), where 


Icom = 5 Ir, wr, w| i 


rw 
Commit(ck,r,w)=com 
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Sim’: 
1. Run V*(ck) for ck + Gen(1*) to obtain a commitment com. 
2. Generate the state |0), |Simo) m, 4,z- 


3. Apply EDT[Mcom: Msim, Mr], obtaining outcome (b, r) (in superposition). Measure 
b. 


4. If b= 1, measure r and replace the state on R’, M, A, Z with |r) |Simr) m, 4 z- 

5. Apply EDT[Mcom, Msim, Mr]. 

6. Measure register A, obtaining outcome a. Apply Uy» and measure R, W to obtain 
(r’,w); if Commit(r’, w) Æ com, stop and output the view of V*. Otherwise, measure 
Z, obtaining outcome z. Send z to V* and output the view of V*. 


Lemma 13.5. If Com is a collapse-binding commitment then Sim’ (p) is computationally indis- 
tinguishable from outy«(P,V*). Sim’ is an EQPT, algorithm. 


Proof. By [Claim 13.4) P[Mcom,Msim, Mr] is EQPT,,, and so Sim” is EQPT,. 

We consider three hybrid simulators H1, H2, H3, as follows. All three are provided with some 
witness w such that (x,w) € R. We first define H4. 

HY" (x, w): 

1. Run V*(ck) for ck + Gen(1*) to obtain a commitment com. 
2. Generate the state |P) = X, |e) y [Pols w; 4) 4- 
3. Let Mp := (|PXP|,I — |PXP|). Apply EDT|[Mcom, Mp, Ma], obtaining outcome 
(b,r) (in superposition). Measure b. 
4-6. As in Sim. 

H; is indistinguishable from Sim by [Lemma 13.1} H; is obtained from Sim by replacing |Simo) 
and Msim with |P) and Mp and interacts only with the A register, and the distributions on a 
induced by (a, z) + SHVZK.Sim(0; u) and a + Ps(x,w; pu’) are computationally indistinguishable. 

HY" (x, w): 

1-3. As in H. 
4. If b= 1, measure r and replace the state on M, A, Z with 


P> =X |e) |Pa(,w;4)) 4 |Pa(e,w, ri 4))2- 
H 


5. Let Mp, := ( |P,XP,|, I — |P-XP,|). Apply EDT[Mcom; Mpr, Mr]!. 
6. As in Sim. 

By the SHVZK guarantee, the distributions on (a, z) given by a + Ps (x, w; u), z <— Ps(xz,w,r; u) 
and (a, z) + SHVZK.Sim(r; u’) are computationally indistinguishable. 

Hence by Ay and Hə are computationally indistinguishable. 

By the correctness guarantee of Q, if b = 1 then the state at the beginning of has 
Tr(|P)P| p) > 1-6. Note that |P) and |P,) are related by an efficient local isometry T,: M —> 
M & Z. Hence is vô-close in trace distance to an application of this isometry. Switching 
to this state, we can commute the isometry through EDT|Mcom, Mpr, Mgr]', which conjugates it to 
EDT[Mcom, Mp, Mg]. This leads to the third hybrid, below. 
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HY (x, w): 


1-3 
4. 
5 
6 


. As in Ho. 

If b = 1, measure r. 

. Apply EDT[Mcom, Mp, Mr]. 

. Apply Uy» and measure R, W to obtain (r’,w). If Commit(r’,w) Æ com, stop and 
output the view of V*. Otherwise, apply T, to M and measure Z, obtaining 
outcome z. Send z to V* and output the view of V*. 


H; is statistically close to Hy provided that Pr[r = r’] = 1 — negl(A). Moreover, the collapsing 
property of the commitment implies that is computationally undetectable. If this step is 
removed then the effect of and [5jis simply to apply Mecom; the output is then precisely the 
view of V* in a real execution. 

Finally, we have that by r = r’ with all but negligible probability by the unique message-binding 
of the commitment scheme (Lemma 4.2). o 
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